[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Ave
Room 425A
Washington, DC 20201
TABLE OF CONTENTS
Agenda Item: Call Meeting to Order, Review Meeting Goals
DR. COHN: I want to call this meeting to order. This is the meeting of the Ad Hoc Workgroup on Secondary Uses of Health Information of the National Committee on Vital and Health Statistics. The national committee as you all know is a statutory public advisory committee to the US Department of Health and Human Services on national health information policy. I am Simon Cohn and I am Associate Executive Director for Kaiser Permanente and Chair of the committee. I want to welcome committee members, HHS staff, consultants, and others here in person. I do want to mention that today we are not on the Internet, but we are being recorded. So, as always, I would ask you to speak clearly and into the microphone so we can produce notes from this meeting.
With that, let us have introductions around the
table and then around the room. For those on the national committee, I would ask if you have any conflicts of interest on any of the issues coming before us today, would you so please state during your introduction. I want to begin by observing that I have no conflict of interest.
[Introductions around the table.]
DR. COHN: Okay, I want to welcome everyone this morning. Let me just talk a little bit about what is going to be happening. Actually we will first sort of comment about the schedule for the next day and a half. Just to be clear with everyone, what is happening this morning is we have a meeting with the Ad Hoc Workgroup. That meeting will proceed through the morning and will adjourn around twelve noon. Then this afternoon, we will have a meeting of the Privacy and Confidentiality subcommittee of the NCVHS in this room. So, that will start at 1:00. Tomorrow morning, we will start at about 8:30 and continue with our conversations around the draft report, our observations and recommendations. Once again, with the intent to adjourn around twelve noon.
Now, today is the fifth meeting of this
workgroup. I just want to start by thanking all of you. I am not going to name you all individually, but I think for all of us it was a busy summer. It is turning out to be a busy fall on this topic. I think most of us feel that we are probably 80 to 85 percent of the way there. Hopefully, by tomorrow it will be in the 94 percent range in terms of completion. I want to thank you all. I think we have all spent the summer and fall together. I want to especially thank Justine and Harry for not only spending the summer and fall together, but when we are not together we are also sending night calls with Margaret and others. So, I think this has really been a view of some of the finest in NCVHS sort of coming forward at the request of the department to sort of quickly work on a complex and important issue and hopefully be able to come up with some practically possible recommendations and next steps that the secretary can actually begin to move forward on as well as the department. Obviously that will be determined as we move through today and tomorrow.
Now, we will start this session with an overview of the report and recommendations. You can see in front of you a PowerPoint. Justine and Harry are going to be leading this. This is really meant to be just to sort of remind us all of what is in this report. Last night when I was talking with Harry and Justine, my initial plan was to start on line one and go to line 1500 by tomorrow at noon and basically review the report on a line-by-line basis. I was persuaded by them that we may still need to do that, but probably to begin with given that as we all observe some of the early parts of the report need streamlining, not that the content is wrong, but it is sort of redundant and things need to be reorganized. It was not going to make a lot of sense for us to delve deeply into the wording of the first part today.
Instead, what we are going to do is go through
some slides to help remind us about the framing of the report as well as at a high level talk about the observations and recommendations. The view is that we first of all need to start at a forest level before we go into the trees. Because if we go line by line on the observations and recommendations without realizing how these things all fit together, we are going to find ourselves arguing about recommendation 1 when it is really covered in observation 5. As I say all that, the question will continue to be are these the right recommendations? Are we missing anything? Certainly for that conversation, we just need to be aware and be capturing those pieces. We are also close to this that I think it is hard to sort of take a step back and look. So, that will be certainly part of the conversation.
From there, we will then move a little more into the tree level and begin to move through the specific observations and recommendations. Now, this is, as I said, accounting for what is not there. Wording that does not fully express the content well. I know you are all excellent editors. I think I told you my father is a professor of English. When I get into redlining, I am a terror. This is not the time for spending a lot of time arguing the precise word unless it affects meaning. We obviously do really want to take redlines offline and get that information and get it to Margaret in process of the next version.
So we will hopefully do that today. This afternoon, Margaret is going to be working on further revisions. We will have a chance tomorrow to review those around observations and recommendations and then go back to the actual body of the text and see how it flows in our views on that. So, is everybody okay with the process for today and tomorrow? Paul?
DR. TANG: I think the process sounds very good. I wonder if we could look at the forest and make sure certain things are covered. I wonder if we could innumerate those certain things that should be in our mental checklist as we go through ahead of time. Before delving in, which can draw you into what we have there, we should first say, what are we looking for to make sure we have those things covered?
Here is an example, from the testimony there are a few things that we should focus on. What happens if we do get in the trees all the time, you may miss the forest. So, three things that I think we heard the concerns were commercialization of data, the dealing with the business associate, provision clause contract, and the conversion that the transition the grain is between QI and research. Those are three sort of high-level things we heard a lot about. We hope that after you read this, you should come out with some kind of clarity, if not clarity, the next steps on how to get clearer. That is sort of the example.
DR. VIGILANTE: If I was to add to that, I think there is a lot of recommendations here still in which I think we can look at each one and say, what is the risk benefit ratio in terms of unintended consequences that we may not even imagine or be in a position to imagine because – the future state of the complexity by definition of unintended consequences.
MR. ROTHSTEIN: I think one analytical tool that might be helpful is that we heard a wide range of testimony at the various hearings. From both the comments that were made at the meeting and informally, some of the practices that were described to us were in some instances troubling. What I would like to invite you to think about is, as we go through the recommendations that we have made, how would things be different if at all if the world were according to our recommendations versus the way that they currently are. The things that we are recommending clean up some of the practices that we thought were kind of inappropriate. That may be valuable to do.
If we are talking about broad themes, another
broad theme that I would raise is the issue of De-identified information. The HIPAA privacy rule is based on the assumption that if it is De-identified, it is not PHI and nothing bad can happen to you as a result of somebody using that. I think that we have heard and recognize in the text several places, but necessarily in the recommendations that there are some harms that come from De-identified information. I think that we need to check the recommendations to see whether we do an adequate job of addressing in our recommendations the concerns for the possible harms of De-identified information.
I would add as a footnote to at least my statement, but I do not know whether we want to go so far in the document as saying, I question whether going forward the distinction that is drawn between De-identified and identified information continues to be meaningful. It is a foundation of the privacy rules, I think given technologies and the kinds of research that is ongoing and the like that the distinction will become increasingly untenable and it needs to be replaced by some new paradigm that I have nothing to offer. I am just sort of troubled by the assumptions that we are all proceeding on now.
DR. COHN: Before we try to solve that particular problem, let us at least lay it on the table so as we look at the recommendations we can see what we think of all that.
Any final opening comments before I include my opening comments? I do just want to spend a minute to talk about at least my view of the next steps. The next steps are tomorrow on further improvement in this document. I am certainly very concerned to make sure that we get some additional input on the document that we are preparing. I think we have obviously gotten lots of public testimony. We have been meeting in open session and reviewing the document for the full committee last week and obviously today. Not that many people have seen the full document. Of course every three days, the full document changes yet again. I am hoping that after the meetings today and tomorrow, we will be in a position to begin to distribute and seek public comment on the document and the recommendations contained therein. The idea being that on October 17, we do have a conference call scheduled for the committee for the Ad Hoc Workgroup.
My intent is, assuming we leave here tomorrow
sort of feeling this is the right thing to do is to have that be an open session, invite public comment on the report either in verbal or in written fashion and begin to get some wider input before we finalize it and bring it to the full committee. I always feel these things are improved by new sets of eyes looking at what we are doing. That is not to say that everybody will agree with all aspects of the report. In fact, I am sure that this will not be a report that everybody says, I agree with every single one of these recommendations. I think it is important that we hear and get a sense of those in the industry and basically the public and private sectors sort of feel about what we have done to date.
Now, is that generally a – I see people nodding their heads. So, we obviously need to touch basis as we get in finishing tomorrow and make sure that we – We need to have a document that we feel good enough about that it represents our thoughts that we can appropriately get that. Mary Jo I see you are beaming to raise your hand here.
DR. DEERING: Well, it is just as a place holder for my poor memory because we do not have to really visit it until tomorrow, but should the workgroup wish to extend the call for comments widely, we still have the distribution list from last year's exercise when we had an open call. So, we have the ability if we so choose to widen it to those who provided input on the NHIN requirements. A lot of whom are knowledgeable enough. Almost all of them would probably be very appropriate to be put on. So, just a placeholder.
DR. COHN: Well, certainly the previous testifiers and other groups that we want to offer them the opportunity to review and provide any comments. I think preferably written, but also verbal for them would be appreciated. Paul?
DR. TANG: That reminds me of one more high level filter to make it significantly shorter. I think we can because there is a lot of duplication. I mean I would think that we can make it 40 percent shorter.
DR. COHN: I think that is why we are reviewing the next part. Now, final comment, and I will make this in terms of process is that assuming we are moving forward, reaching consensus, I think a view would be that we would have an open conference call while the full committee, the first week of November where this will be an action item for consideration by the full committee. I do not think that has been scheduled yet. I think we will go forward trying to make that happen. Once again, we will have a better sense by tomorrow.
Now, with that, Justine, I want to turn it over to you to sort of go through some of the slides. Justine will start, and Harry will talk more specifically about the observations and recommendations and we can sort of begin to do some of the filters from the conversations and the issues that we were all just bringing up.
Agenda Item: Review Themes and Issues Raised at the Full NCVHS Committee Meeting
DR. CARR: Thank you. So, we are actually working from the starter set of slides we had before. I think what I will do is Margaret has amplified some where we have some additional considerations. I think we will just build on that framework. I think as we get to each slide, if there are things that have been pointed out, I am fine with being interrupted.
On the first slide is just the excerpts from the ONC request. I think we had a good discussion this morning at breakfast and brought out some of the specifics with ONC with the looking forward to NHIN and the traveling of data through health information exchanges, conduits, and involving multiple entities. I think what we heard this morning is that we do want to pay attention to what are the relationships of all of the entities that either receive or transmit data and to whom do they report and what exactly should they be reporting? That is all I will say about that. We can come back to it, Margaret.
The next one is our scope of work. I think we are all familiar with this policy framework. The premises that HIT is not – it is not quality unto itself. Next.
I would like to pause on this. Yesterday I presented to the AHIC Quality Workgroup. I would say this slide go the most resounding feedback in support of never using the term secondary. I think George in particular said, as we move into the new world it is impossible to tier the uses of data. So, Caroline and others all agreed that we should strike that word. Also, just that we should use strong words in the report.
DR. OVERHAGE: I just want to caution us that we end up slipping into enhanced uses as an alternative for secondary uses. You need some collection term to refer to this.
DR. CARR: But we have enhanced protection for uses of health data.
DR. OVERHAGE: I think this is right. It is hard thing to –
DR. CARR: Okay, thank you.
DR. TANG: I subscribe to what you just said, but we are on this side of the aisle in the sense of, we understand how the data can be used well and how it can be used well in a protective way. To the consumer, there is only one use that they are mostly concerned about. I would not want to lose that concept because that is probably the concept that is driving this whole activity. Do you all understand what I am saying? We understand what we just said. The consumer says, I walk in. I am expecting to get care. That is all I am expecting to get. The other things are secondary to the consumer's perspective. I am just worried about losing that concept.
DR. CARR: I would just say that we aught to really think about that more in depth because as John Lumpkin said early on, part of the challenge is the education of the consumers. As we move into this next world, we need to bring them along.
DR. TANG: Okay. Maybe, and this is also keeping with concepts that we talked
about just last week. For the consumer, it is all about unexpected use. We can
educate them on what should be expected in delivering higher and higher quality
care and improving the field of science. There is still something called
unexpected and unanticipated and unwanted. I do not know what the word is, but
that is the point.
DR. VIGILANTE: I have sort of been a broken record on this, and I will restrain
from going off on a tangent. I do think that secondary uses does capture the
notion that it is secondary to the original intent of the patient, which is to
share their – yield their private information for the purpose of being
taken care of. These other uses, while may be equally important at a societal
level or secondary intention of that. So, it may not be the best word, but we
do need an adjective to describe it.
DR. COHN: I was just going to say that I will weigh in on this one. I think the good news is the title walks the fine line between how we talk about this. I think that this slide makes a really very important point, as does the document that not all uses of data are equal that we really need to specify them. I guess I would speak that we do not spend the next day and a half arguing about what is primary and secondary. I am only reminded that we have gotten in conversations whether a consultant use of data is primary or secondary. Is payment use primary or secondary? Quality improvement, which to me is as important to care as care itself. Is that primary or secondary? I think we can spend a lot of our time just wandering around this area, but I do think this makes the point that we need to get to the specific case.
DR. CARR: Next slide. Okay, so why address uses of health data now? I think we have talked about this at our previous meeting. I think we are familiar with this. Let us go to the next slide. Again, we covered it at the last meeting. Health data available for incorporating into large databases are not just claims data. There is granular data, sources of electronic health information expand beyond HIPAA protections of covered entities and their business associates. So, this is something that I think we need to spend some time on and really line up what are these various entities, and where do they fall? We may not have all the answers, but at least to think about who is a business associate and what are the expectations of business associates and identify where the gaps are.
Okay, so I think we can move to the next slide. Uses of health for quality measurement reporting and approval. Improvement enabled by HIT, new benefits and potential challenges. So, the benefits are outlined and the fact that quality uses are not well understood by individuals who raises our issue about transparency. That is an important theme that we have heard. Linkage of information must assure privacy. It is a very important theme that we need to make sure we have addressed. Vendors who link data must not violate trust. I think also, we have been talking about what is the expectation for when vendors have data. What was it given for? What are they using for? If they change to use it for something else, how is that accountability hardwired? This issue of data for performance improvement may evolve into research. How do we manage that? In some of our discussions – I think one part is defining what is quality and what is research. I think there is also a need to speak to when everybody has to the best of their efforts identified something as quality, and unexpectedly turns into some important research. Can we just address that that does happen? How do we shepherd safely from quality to research to ensure privacy, but to not create an obstacle to important information getting out to a larger community.
The last point says quality data is essential for data aggregation. Again, this morning as we were speaking, we need some definitions also about what is aggregation? What does it mean? We use it many different ways, but a piece of it is that it be done correctly.
DR. FITZMAURICE: I would qualify data aggregation for maybe meaningful data aggregation.
DR. CARR: Accurate. There is two things. I guess to the stewardship thing too that if you have data and you aggregate it, you need to know what you are doing. Part of knowing what you are doing is knowing that your dataset is complete and accurate and –
DR. FITZMAURICE: So it is good methods and good data.
DR. CARR: Right. So, yes, that needs work a little bit.
DR. TANG: So it not data quality or data of high quality is what you mean right? Just a point, there is an NQF report that is coming out fairly soon that speaks specifically about metrics to qualify the quality of data in the EHR. I think those need to be linked.
DR. CARR: Then the HIPAA challenges, covered entity. One of the things we talked about today: payers, providers, and clearinghouses. Where do conduits fit? Entities fit the trends data without looking at it or managing it, but just sending it. Where do they fit? How do we think about that? The place that the data goes that are not covered under HIPAA. It is a clearinghouse issue?
DR. COHN: No, I think we tried to address that in one of the earlier recommendations, I think it is still in there. So, good.
DR. CARR: Covered entity use of business associates and their agents. Again, we talked about the challenges of what are the expectations? What is the contract? Is there an annual second look at that contract? If there is a change in the use of data that goes to the covered entity, how does that get communicated and addressed?
So, I apologize for not being too fast at these. So, the issue of TPO operations and quality within operations. So, I think this is something that we need to pay close attention to. So, right now, if you are doing quality within operations, there is no requirement for authorization. So, some of the issues that have come up are, what is the definition of quality? We heard also definition of quality versus research, the issue also of transparency for the individuals about how their data is going to be used.
DR. COHN: If I could actually just add – it was brought to my attention this morning about the issues that we somehow do not have marketing. That is one of those issues. We talk about privacy versus quality, but we do not talk about operations versus marketing. It actually is another cleavage. We talk about areas where there is cleavages and operations is obviously a large area. We generally do not see cleavages there. Certainly, in marketing, that would be an area the additional guidance could be helpful.
MS. AMATAYAKUL: Are you suggesting that there is a cleavage between quality and marketing or within marketing also?
DR. CARR: Are we talking about operations and marketing?
DR. COHN: I was talking about operative --
MS. AMATAYAKUL: Is there cleavage there or is there cleavage also within marketing? Maybe not within marketing as much, but within Paul's commercial uses?
DR. COHN: I want to help with this one –
DR. TANG: This is an area that went through lots of morphing during the Friday of HIPAA. The way it works is a covered entity may share information that would increase the use of its services, but not the services of a third part, and not the financial gain of a third party. That is sort of the way they got around saying, we can tell you that you are due for a flu vaccination, which would be something a provider offers. But you could not go with -- a retail pharmacy chain could not pay you to increase the use of drugs, even for more than that retail chain. So, there is the financial connection, and there has to be a connection – there is the financial relationship with any third party is relevant. It can only be for increasing uses of your own provider services.
DR. CARR: So, you could look at everybody who went. You could open a new glasses shop and look at your list of everybody who had an eye appointment last year, and send them a notice of your glasses shop.
DR. TANG: Yes, you can see how it can work both ways.
DR. COHN: I think Mark wants to make a comment on this.
MR. ROTHSTEIN: Yes, here is the concern about marketing and commercial uses of data. We talked about it at the various hearings and in the report as well in the text the fact that healthcare operations is very broad. We are not sure where to bring that in. It goes into at least the two areas. We have recognized that at some point in the quality purpose area, it sort of spreads into research. There is also point in which it can spread into commercialization, marketing, and selling of the information. I think that is an area where we need to at least in the report and recommendations, alert the department to this issue that we spotted that at the very least the department aught to provide guidance as to, okay, these kinds of practices are permitted healthcare operations, but if you go too far and start selling this stuff around even though it may be De-identified or if you had some notice that you are going to do this, it is too far. It is really marketing. You are going to need an authorization. So, that was the point that Simon and I discussed before the meeting.
DR. VIGILANTE: So, is that marketing? If you have data and you sell it to somebody and nobody knows about it. For instance, take the folks who came here from the cardiovascular quality project. They are out there collecting data on mortality and best practices under the rubric of a quality initiative. Then of course they start publishing the stuff in journals. I do not know what hoops they went through to do that, but they went ahead and did it. Thirdly, they are selling the data to medical device companies. Now, I would not call that marketing. That is a sustainable business model. Marketing to me is when you advertise what you have to offer to a consumer.
DR. CARR: I think they were doing that too, were they not? They talked about in New England that members of NNE had lowest mortality or something like that.
DR. VIGILANTE: When we use the word --
MR. ROTHSTEIN: Well, Kevin, the reason I use that word is because the privacy rule does not draw the distinction between commercial and noncommercial uses. The only thing that it draws a distinction for is “marketing” as it is defined in the rule. What my concern is that the commercialization of health information really starts in some instances to fail the consumer expectation test that we have kind of been dancing around. I think we need to recognize that in our report.
DR. VIGILANTE: I am not challenging it. I am just --
DR. CARR: Well, I want to ask the question just for clarity. Are we saying that as folks submit their quality data and they get to the top tier and they are noted as a top hospital, then say the recent 30-day mortality. If a hospital were in that top 10 percent tier, can they use that as part of their advertising?
MR. ROTHSTEIN: There is a problem with that. What I am talking about is the commercialization of individual health information. You are talking about aggregate data. That is so far removed, I think, from what patients are concerned about. I think what patients would be concerned about, and I think we heard testimony that would verify this is that their information that was freely given for the purpose of treatment is now being sold. There is some sales that I would conceive are legitimate. At some point, the commercialization that is not integral to care I think consumers have a legitimate concern about. I think we should recognize that.
DR. COHN: Mark, just to clarify because I am actually hearing the conversation become very alive with what Paul had mentioned earlier is --
MR. ROTHSTEIN: He said several things, but the one thing that I have subscribed to all along is that we need to recognize what consumers reasonably expect will be done with their data. When something goes beyond that, then something has to happen. What that something is, is it notice? Is it an opportunity to object? Is it a prohibition? There are all sorts of things that could happen, but I think that is the area where if it goes too far, everybody would say that is an inappropriate use.
DR. CARR: Moving on. De-identified data, I think this is an area that we need to pay attention to. A couple of things I think have come up since our last meeting, if we stay within HIPAA, all quality operations may use identified data. So, then whether it is annonomized, it does not matter, they can use identifiable data. Outside HIPAA is the De-identified data, which is defined as 17 identifiers taken off.
So, we heard from Latonia Sweeney about how you can re-identify, and then we have incorporated into some of the report some expectations that assessing the re-identifiability of data would be a responsibility of somebody. A couple of things is, unfortunately we do not have a publication or even a PowerPoint from Latonia Sweeney despite multiple requests. So, I think in the absence of having a primary document that we can reference and make available. It is very hard to just take the sound bytes of the notes of what people took at that meeting. Secondly, Judy Warren touched on this at the last meeting that if we are setting an expectation that a person using data has to provide a statistical analysis of re-identifiability, I think a question is, how do you do that? If you are giving your data to someone else, how do you know what other data sources they have? So, you really do not know that or how they would even manipulate the data set because they could get something down to a cell size of three. I think we need more clarity of our thought about what those expectations are in terms of assessing re-identifiability and who owns that and what is feasible to accomplish.
DR. FITZMAURICE: You raised an interesting point and that is, you might get it down to a cell size of three, so you threw out a personal interview the three people in that category and find out which one had the particular hospitalization. The privacy rule does not make that a crime. Nothing makes that a crime. Maybe that is a feature that we want to highlight that there aught to be a law against somebody trying to identify another individual on the basis of De-identified health information.
DR. STEINDEL: This brings us to the point that Mark was making earlier in the meeting about his statement that maybe we should stay away from the term De-identified because in today's world, that may not be a true statement. I think the point that you just made is very much correct. I think a researcher or somebody who is collecting data can make a statement about re-identification with respect to the population that they were studying and the data they were studying. But once that data is released, they can make no statement about what anyone else is going to do about their ability to re-identify it. That was what you just said, and I think that is totally correct. With regard to what Mike just said, even if we had a law that said you could not do it for marketing purposes. Someone could re-identify down to a cell size of five. They have no problem without sending marketing material to five people. They do not have problems with sending it to 10,000 people, so five is going to be great. So, I do not think a law will even help in that area.
DR. TANG: So, as we go through this, and Mark had put that as one of the things to look for, do you want us to come up with a consensus about how we feel about De-identified data as you go through this or later?
DR. CARR: It seems like – so, the point of this is we actually started out when you mentioned some of the things that are weighing on your mind that we haven't tied out. This is really an exercise to tease those things out. I do not know if there are things on the quality use case that we talked about today. What are the things that before we go home we have to have some consensus on?
DR. TANG: Is this at the inventory stage or the discussion stage?
DR. CARR: Inventory.
DR. COHN: I would just say this in terms of inventory. I think we somehow need to make a differentiation or be inclusive of there being identified data and these sort of aggregated reporting like 57 percent or 63 percent or whatever, which is a lot of what happens with this stuff when it gets reported. There needs to be a bullet somewhere that makes that distinction here.
DR. CARR: So, these seem to be where the pushback is coming. So, anything else on – In terms of the operations, the things that we talked about today of all the different places data can go, is there anything that we need to --
MS. ANDERSON: Sure, I think the one thing we want to keep in mind is that around the quality use case is beginning to contemplate longitudinal patient centered data. So, we are thinking now not just about the current state where a lot of the aggregation is site specific, but thinking toward the future state as there will be new aggregators, but we need people to collect the patient level data on multiple entities. There are issues. The quality workgroup was looking for clarity on, with respect to that those entities are doing quality improvement when they are linking data across multiple entities. Some clarification on the ability of that data be identified if it falls under TPO. Also, about the matching then occurring there and the issue of the feedback mechanisms because now you are really talking about data that has come from multiple institutions and is the one place for the purpose of that patient care, which is different than institutional quality improvement. So, wanting to be sure we are clear about that so the language can be interpreted for quality improvement to also include cross site of quality improvement.
DR. COHN: I did not come and join you at the beginning. As you talk about this one, and remember I am from California, but this thing called HEDIS in NCQA reporting and has been going on, not quite since I was a little kid, but it feels that way sometimes. Can you distinguish that sort of aggregation, which is cross facility, cross provider, cross institution for what you are contemplating?
MS. ANDERSON: So, we are thinking about data coming from clinical systems that would – and also supplemented data from other systems that would be linked about a patient, which could include patient provided information. It could include registry information. It could include information from hospitals and home health and physician offices, et cetera. But being aggregated and linked about a patient, in order to envision a future world where you are actually commenting on the patient outcome. So, wanting to health IT enable that sense of quality improvement, very patient centered that does exist in some leading entities in the US. Largely, the quality improvement is within an entity within a hospital, within a physician group, et cetera. So, trying to make sure whatever language we use is clear to, is this going to be operations. It also encompasses that. Versus NCQA, which historically has been both claims based and some individual record gathering.
DR. VIGILANTE: So you are saying this is consistent with the episode of care concept? Is this what you are talking about in terms of, you owe one episode – okay, where somebody might be moving from one hospital to an out-patient environment to a set of specialists who are coordinating care. Who is really responsible for losing that limb? Is it the endocrinologist? Is it the vascular surgeon? So, to understand all of these things, we need to be able to track folk's data. We want to do it longitudinally and across institutions, which may require more specific capabilities of identification in a longitudinal way. Is that it?
MS. ANDERSON: I am not going to go as far as – but I do not need to worry about that in this context. But I do – the concept of aggregating data longitudinally in order to evaluate patient outcomes is the concept. So, in doing that with data that is both clinical and then also there will be efficiency measures that will have some administrative non-clinical data plus patient reported data may factor in to how clinical physicians support all of this, et cetera. Did I answer the question that you asked?
DR. COHN: I think others want to comment. I will finish this one up.
MR. REYNOLDS: Try the diabetes example. That was a good one you gave us this morning where the person was a diabetic.
MS. ANDERSON: Okay that probably does overlap a little bit with NCQA. Maybe the one I can try is around hospital-acquired infections. So, if we want to hold accountable or do some quality improvement on infections, it may be true that that patient comes back to the same hospital. Therefore the hospital has insight into the fact that that patient acquired an infection, but it may not be true. They may go to another hospital. They may not require hospitalization. So, if you are trying to evaluate infection control across the continuum, you want to have data from multiple entities, and then you want the feedback loop to at least not only just tell the original hospital, you had more infections then you know you had, but also be able to on an identified way say, and we know that because the patient got this prescription or saw this doctor and was admitted here or there. That is quality improvement at a level that does not currently happen in the United States. The idea of being that that is a vision that would – the question from the quality workgroup is that is also operation. Even though these entities are not necessarily affiliated with one another, but it is part of the quality improvement at a higher level.
DR. STEINDEL: I have no objection to the vision that you are painting and to allow in that vision. I think it is very useful. I have a problem with, are you hard and fast on calling it operations, or is your real drive just allowing the vision?
MS. ANDERSON: What we want to know is clarity on that because there are aggregators that will be meeting of these vision and to think about what their requirements are about having identified data where they are linking. So, it is more about the operations of use as a term of, where do all of the conditions that apply in this report, do those apply to those entities or not?
DR. STEINDEL: Yes, I think my problem with that is I have a little problem with the way HIPAA defines operations of extending it outside the institution in the context of the way it has been defined. I have no problem about extending the concept through business associate agreements to allow the type of structure that she just talked about.
DR. CARR: Okay, moving on. Stewardship, and here a question that I think has come up about stewardship is within operations, using data for quality, is there any expectation of oversight of how data is used within an organization for operations?
DR. OVERHAGE: Why just within? You said within an organization.
DR. CARR: I am sorry. I meant – it is because I do not get out much. When we talk about Christine's vision, our future vision.
DR. TANG: Where did that first definition come from?
DR. CARR: Merriam Webster.
DR. TANG: Do we have to use it?
DR. CARR: It is better than the one that was there before, but I think if we are talking about data stewardship, I am not sure that that adds anything.
DR. TANG: I thin the second one says the two things we are worried about are responsibility and accountability.
DR. COHN: I get that. They seem to be both large and consistent with each other and we probably aught to, you know. Do you think there is an issue there?
DR. CARR: We can work on that. Also, the other thing, to my chagrin when we presented this, we did not mention the RFI that had gone out. I know we have heard preliminary from John, and he still deeply immersed in it, but is there anything that we need to tie out with the RFI?
DR. COHN: Are there any definitions from the RFI that we need to pull in? We probably just need to include more definitions.
DR. CARR: Right, we need definitions beyond anonymization. So, Harry, do you want to speak to this? This quality assessment comes from HIPAA. This is HIPAA's definition of quality assessment. So, outcomes evaluation and development of clinical guidelines provided that a painting of generalized knowledge is not the primary purpose. So, outcomes evaluation and development of clinical guidelines fits with the AHIC Quality Workgroup vision. Population based activities related to improving health or reducing healthcare costs – what is it related – Harry, this fits with payers. Then, research is a systematic investigation including research development, testing, and evaluation that was designed to develop or contribute to generalizable knowledge. Okay. Harry?
MR. REYNOLDS: What we will try to do is, again, using the idea of grouping these up into more of a story. Each of you came up with some things today, trying to group it up into more of a story than just exactly how it says it is in the document.
We are starting with HIPAA where it provides the use of health data for TPO without authorization. Then we are recommending that the secretary issue guidance to cover entities to adopt data stewardship approaches, stronger sanction policies, self-policing, technical data security approaches, and organized healthcare arrangements. We are stating clearly that operations includes quality. We are recommending in their oversight by senior management. It has been necessary for satisfactory uses for quality and data release agreements for use of datasets. So, again, HIPAA had gave us TPO for qualities included as defined in the HIPAA rule.
Going next to contractual arrangement for data sharing from covered entity to business associate to agents of business associates. We recommend strengthening the chain of trust. Only permit use of De-identified data when method and chance of re-identification are reported to the covered entity. Now, based on our earlier discussion today on the De-identified that Mark put on the table. This would be one that as we get into our further discussion whether or not we overlay that on top of here to decide what we would really end up doing or not doing with statements. So, I guess everywhere we mention De-identified, we would want to at least put this filter over it to say, is that the right word? Are we staying with De-identified in this case, or are we actually not? Does it branch out? So, that is the way we would want to think about it as we do it.
DR. CARR: So, this is under the bullet of contractual arrangements for data sharing from covered entity to business associates. Why do we need De-identified data if covered entities and business associate's use of data is for operations. I guess that is what I am wondering if we are talking about operations. If we are, why is De-identified an issue?
MR. REYNOLDS: Margaret you want to comment first?
MS. AMATAYAKUL: So, if they decide to De-identify and use it for other purposes. Today, there are no protections. So, what this is saying is, so you cannot do anything more unless you notify us.
DR. CARR: Right, but that is not it. The way I read it was, if you are a covered entity and you are working with a business associate, my assumption was it was without operation. So, I guess in that top bullet you might want to say, for other purposes. For TPO, you do not need De-identified data. You can work with identified data. So, it is confusing.
MR. REYNOLDS: We have Steve and then Paul.
DR. STEINDEL: I think my comment is essentially the same as Margaret's. When you transfer identified data down the stream of trust that we are creating, there is a chance that one of those agents or business associates may decide there is other things they can do with the data. For instance, either internally within their own operations or externally use it for marketing purposes, identification of potential markets, or whatever it might be. What we are saying here is, you should specify whatever uses you are going to do with the De-identified data.
DR. TANG: So, I am going to play a couple of our rules. One was the expectation rule, and the other is Mark's thing, what if they did this? Would the world be a different place?
So, I am going to try the second one first. If we did this, the world would not be any different. So, that makes me go look and say, I think we need to strengthen the language and what we want to say. So, the first, instead of issue guidance, I would say require. It does a couple things.
MR. REYNOLDS: Did you have a question? What is your question?
MS. AMATAYAKUL: I just want to make sure, are you referring to this, only permit uses? Or are you referring to this whole entire slide?
DR. TANG: This whole entire slide. So, I think issue guidance does not help the world. If we said require the following, I think it changes the world in two ways. One, it is certainly very proactive and action oriented. Secondly, based on what Leslie said at the last meeting, it has legal implications that strengthen what goes on. The other piece is the discussion about business associate and whether they need to be De-identified or not. That is where I would use the word restrict because the covered entity is supposed to, but what we have found out is either business associate agreements were written essentially by the recipient and allows them to do way too much, or does not have the power to be enforced anyway.
MR. REYNOLDS: Where are you restricting?
DR. TANG: The use of data should be restricted by the required business associate agreement not to do anything more than the specified use, not take it to the side what is operation or not. It is the covered entity that gets to decide, not the business associate. MR. ROTHSTEIN: I would like to suggest something to maybe put on the table for perhaps discussion in whatever the discussion section is. That would be a principle that is analogous to minimum necessary. We are in healthcare operations allowing the use of individually identifiable information for those purposes without additional notice or consent. I would like to raise the question of whether an analogous principle necessary would be helpful, and that is not only is it minimum necessary, but the data should be used in the least identifiable form consistent with the operations use. So, it may well be that there are some healthcare operations uses of data that they do not need to use identifiable stuff. There are other operations where they do need identifiable stuff. I think the principle we are discussing is to ask the covered entities or require the covered entities when they are using data in healthcare operations to use it in the least identifiable form that is consistent with whatever their use is.
DR. OVERHAGE: In the spirit of Kevin's looking for unintended consequences here, we talked about insuring companies that provide data transmission or business associates and give them the guidance of issues that says the postal services is one of those triggers. Are we putting ourselves in a corner that is going to be hard for people to say, well this is a crazy recommendation?
MR. REYNOLDS: We spent a little time this morning talking about conduits, which were identified in the rule.
DR. OVERHAGE: You did not say conduits.
MR. REYNOLDS: No, what I am saying is we need to look at that. Steve?
DR. STEINDEL: Harry that was a red flag that was raised when you talked about conduits this morning. I think there are two types of conduits. There is one type of conduit that is just the medium for transmitting the information from point A to point B. That medium may actually have a temporary storage role. Then there is another type of conduit where it has a more permanent type of storage role. We need to differentiate between the two. I think the temporary storage role is one that we want to allow to flow freely.
DR. COHN: Steve, thank you for saying that. I think you have created the additional precision on this one. I really agree about the US post office, US mail, and places – the real question is, what are people doing with the data, which I think is what Steve is bringing up.
MS. AMATAYAKUL: The first point about issuing guidance versus requiring. Can we weigh in on that a bit more?
MR. REYNOLDS: Would is the wording? Is it in here?
MS. AMATAYAKUL: Issue guidance to covered entities to do whatever.
DR. STEINDEL: We talked about this somewhat at the last meeting as well. This has to do with our idea that we would like to provide a mechanism for the secretary to do something under the existing constructs so they do not have to go through either legislative process or rule making process to institute any of this. It was thought one of the best ways to do this was through the guidance documents that we release in terms of how do we implement this regulation or what is the department looking for when it goes to investigate complaints about the application of this regulation, or people ask, how do I implement this regulation? And they issue guidance documents, is what they are called. So, I think we adopted the word issue guidance because that was we wanted to go into those guidance documents. I think Jim Scanlon at the last meeting said as far as he was concerned whether we use the terms issue guidance or say require that the department will review both uses of the verbiage as going into the guidance documents.
DR. COHN: This is one of those times where I want to have people refer to the document. I am on line 884 to 888. It is actually a little bit more than what is up there on the slides. This is the new copy that is in front of you today. I do not know what the old one is. It basically talks – It is trying to walk the line here. It is not just issuing guidance. It is more than that. Do you want to read that?
MS. AMATAYAKUL: 884 recommendations for the issuance of guidance such as the HIPAA security guidance distributed by CMS on December 28, 2006 and or further enhancements of regulations are made that would service means for covered entities to demonstrate good faith efforts and compliance with applicable regulations.
DR. COHN: So, I think that is a little bit more than just issuing guidance. I guess, when you read the whole thing, it sounds at least to me the intent here is to be stronger while not using other words.
MR. ROTHSTEIN: This is not a legal opinion. You have to be the judge of that. I do not think legally the agency can impose new substantive requirements under the guise of “guidance” that would violate the Administrative Procedure Act and deny due process. So, the guidance clarification route is only where you explain what you mean by existing requirements. I do not think it would be enforceable against a covered entity to issue civil penalties against an employer for failing to adopt data stewardship practices, et cetera. So, I do not think there is a way to make this new requirement mandatory simply by going through the guidance route. Also, as a matter of strategy, I think there is a likelihood that if we put in our recommendations, the secretary should “require” that the secretary might take that and make it guidance. Okay?
I do not think there is any likelihood it would go the other way that if we recommend guidance that the secretary is going to make it stronger. So, in other words, if we put the secretary should require, the secretary might require or the secretary might issue guidance or considerably neither. I do not think they are ever going to ratchet it up. They might have to ratchet it up in order to make this enforceable.
DR. DEERING: That was essentially – I was going to frame it in a question, but my issues were: can you in fact correct errors, fill gaps, or introduce something new through guidance. I guess the answer is no.
DR. TANG: So this is a non-legal response to the disclaimed legal. I thought of a way the secretary can make required in federal business associate agreements or contracts such and such. And that could set a standard or a model. It can compel its business associates to do the following. That could be very powerful.
DR. FITZMAURICE: In the privacy rule, I think the word reasonable appears about 143 times to say take reasonable precautions to do this in a reasonable fashion. This could be put out as guidance to say, if you do this, this would be what we expect a reasonable man to do. So, it must not have the effect of getting 100-dollar penalty if you do not do it. But if something happens, you can say, well I took reasonable precautions. I did these things that were put out as guidance.
MR. REYNOLDS: It would also be good to include that reasonable under the original HIPAA and what we are thinking about with all of these other things that we are finding out that the other uses and the NHIN, reasonable looks a little different now.
DR. FITZMAURICE: We would expect that good data stewardship would lead a reasonable man to do the following things.
DR. COHN: I just want to observe that the report says guidance and/or enhancements of regulation, which I think, Mark, that is with your position. I actually do not know the answer to this one, but I think we are covering both pieces.
MR. ROTHSTEIN: Well, I think it would not hurt us to put our preference and fallback positions. In other words, we recommend that the secretary require in the alternative and at least HHS contractors should be required, or at least the secretary should publish guidance.
DR. COHN: I guess the question to me is – I guess I am sort of thinking that the intent here is to get into a position where it is the standard and it is the expectation of the industry and with some enforcement capability that all of this can happen. And somehow if we are not saying that, but also leaving to secretarial discretion whether the secretary believes that some or all of this can be done via guidance versus regulation. I think it is, to me, a very reasonable position.
I do want to pose an additional idea of adding contract capabilities. I think that should be a recommendation. So, I guess I am trying to – we need to specify the tools the secretary needs to use on that.
DR. TANG: What Mike just said about the reasonableness brings up an interesting point. I think, clearly, we have said we need to educate consumers. Interestingly, I think what we have learned and sometimes we miss the forest, we have learned that what was reasonable even five years ago, or what we thought could be done or should be done or what it would be outrageous to do has now become reality. There are new threats that we did not know, even the people around this room that are deep into this did not think was going to happen or could happen five years ago.
MR. REYNOLDS: Okay, let us go onto the next slide. Transparency, we recommended that we identify business associates and their agents including those who then again the De-identified will have to work on that.
MR. ROTHSTEIN: I would just like to put on the table another general filter. That is, we have identified in this document very well the emerging world of health information exchange for these purposes. I think we have recognized a variety of risks to individual privacy and so forth. So, the question that I have is, in what ways are consumers better off as a result of what our recommendations are? If you had a consumer sit down here and had bad problems and they want to know, what are you recommending that is going to protect us? Well, what is that?
MR. REYNOLDS: Good point, but I remind you that we all are consumers around the whole room. It would a good question to ask ourselves in the room here.
DR. FITZMAURICE: I would ask in what way are we harming consumers by not permitting them to get some information that they would otherwise get with these requirements?
DR. OVERHAGE: I guess I am looking at some of these through the lens of what I do every day and thinking about what it means. So, for example, describe and publish intent to link data. So, that means that the laboratory where you get your blood drawn has posted on their website something that describes that they have participated in the health information exchange and refers to the health information exchange website. I am just trying to think how some of this gets operationalized. And to Mark's point, can you expect people to really understand and get that? For example, how many of you know that the coroner's data is publicly available? You can go to a coroner's office and review the report on any coroner's case. I guess the point of that is, how much do we really expect the consumer – how far does this go? You have to understand and know what that means and how much at work – it is one of those things where it is the footnote on the website that refers to two other websites that refers to this.
DR. CARR: Getting back to what Paul said earlier. Where do we fit in the idea of the unexpected uses? DR. OVERHAGE: It is just unexpected that the details of, you know, you see a patient today and next year as part of a quality improvement thing, you are working with a new contractor. How does that – I mean, you could make it available on the website so somebody could go and look.
DR. CARR: Maybe what the spirit of what we are trying to do as Paul stated it is letting individuals know when the data is being sold or marketed or unexpected beyond care delivery. I think there is an opportunity of saying, care delivery is not just your conversation with you doc, but the whole continuum of--
DR. OVERHAGE: I think that is the fundamental thing of where is the boundary of sold or unexpected by the consumer. I do not know that we nailed that one.
DR. CARR: No, but I think we need to come to closure on what we think and our best effort because the heart in the matter is they do not really care what the lab relationship is with the HIE, but they care a lot about selling or marketing. This is where we were a couple of years ago in the beginning.
DR. VIGILANTE: In medicine, we do a lot of things to the patient, so we can say we did it. So we feel better about it, but it does not necessarily help the patient.
I think that the same thing here, as you get into this area of you are trying to do everything and make everything transparent, but that actually just obscures because you cannot get to the bottom of what really matters to me. I think that if we could – if the requirements could for transparency – should hone in on those things that would be reasonably expected to disturb a patient. If they were surprised to find out you did that, those are the kinds of things around which transparency should be focused.
DR. TANG: I am sympathetic to what Marc Overhage said about the burden. Some of the requirements in here could be burdensome without contributing. That would go along with what Kevin said. Even novice lawyers could say that intent is a pretty hard thing to publish. If we did publish in a transparent way, what uses you do – I think it is – Okay, the fact, I just learned the coroner thing from you just now, but that is okay. In today's world, if we had this long list of things of how data is used, there will be somebody who basically explains this, and I think the world will be a better place. There would also be some exposure of things that the world does not agree should happen and we should adjudicate those.
DR. STEINDEL: I think what we need to agree to in this particular letter is the concept of increased transparency. I think there is general agreement around the table that that should occur. What Marc is getting into is the method of how we have increased transparency, and we might want to recommend in the letter that the NCVHS would be happy to hold hearings or something like that into this area. One example that I feel is good to think about is the movie ratings. That is an area where we do have increased transparency. Whenever you take a look at a movie rating, you can look at G, PG, et cetera and you have some idea of the level of the movie. They have gone one step further than that with movie ratings where they now qualify why it has been rated that way. That might be a model type system that we could use to put it out very quickly.
As was mentioned by a lot of people, some supplementary material may be available in the doctor's office or on the website or whatever the case might be about what the details are. That is one way you could have increased transparency relatively simply.
MR. ROTHSTEIN: I would like to see somewhere in the document a statement that although we support transparency, there are limits to the effectiveness of transparency. At some point you put so much information in notices that people just tune them out and that transparency, although a good thing, is not meant or cannot possibly be a substitute for other measures to protect the privacy and confidentiality of the information.
MR. REYNOLDS: I think that is a much more positive way to put it because if you sit and listen, every time we talk about this, somebody says, well that is too complicated so we will not tell them. That is coming from a dramatically different position.
DR. VIGILANTE: The chance to re-identify, I still am not sold on. I mean, I just think we need – I am not sold on it because I do not know it should be a requirement for transparency. I do not know what you do with the information. I do not know how somebody calibrates that. I do not know how complicated it is to report on it. Before we get behind something like that, I would have to hear a lot more testimony about the implications for that personally.
DR. DEERING: It sort of came up during the prior conversation. I think it is applicable across the report. It picks up both the issue of what is it we are trying to accomplish in each of these areas. It would also pick up on the thought that things are changing. What we thought was unreasonable, unknowable is now knowable, real, and acceptable. We do not know what is going forward. So, as a general approach to the recommendations, we have just observations and recommendations. I am wondering whether we should have desired end point so we are very clear about what we think the end point should be. Then picking up on this issue of what kind of regulations guidance, et cetera. I think it would probably cover all of the areas that we have recommendations in, which is you clarify absolutely rigorously, this is where you think the world aught to get to. It is a moving target. We have different means available now. These are preferred approaches now for getting there. So, it's just a structural approach.
MS. ANDERSON: This is one of the areas in reviewing the report where I was stuck because the line between quality improvement and research for instance was not defined or because some of the other boundaries were not defined. It is hard to know to whom this would apply. So, for instance, if you think about business associates that might be business associates around quality improvement, and they did have identified data. So therefore, it does not apply some of these requirements to them. So, we describe a published intent to link data for instance. If they are linking it for the purposes of quality improvement and there are business associates, does that apply to them or not? So, it is a little fuzzy.
The other place that struck me in terms of characterizing it by the uses rather than by the relationship seemed like it would make more sense from a transparency point of view, which I think we have already heard. So, it was hard to tell to whom anything would apply.
For instance, if – I am a patient in some cases. If I was to see that my physician shares my data for quality improvement purposes and I might have a one sense about that, and there is the other one that is sense of also for pharmaceutical companies to do outcomes research. I might have another opinion about that. But when you think about those other – Those different relationships. The first relationship, you might have business associates that you are doing quality improvement with. The second relationship might involve sales data. Then I might want to know, what else are they going to merge together when that other party gets that data to reach certain conclusions? So, I am not really setting up the construct but saying that from a transparency point of view, it seems like it was getting kind of obtuse. From a burden point of view, I could not tell to whom it was applied.
DR. CARR: So, I just wanted to reemphasize the importance of the fact that re-identification is a building block of being able to do longitudinal outcomes, and it is a good thing. So, we want to make sure that we can do that while at the same time addressing where we might not want to assume that it could --
DR. STEINDEL: I would still like some clarification on this. Let us take the example of the two inhibitors. If I recall correctly we heard during a hearing if it was not this specific case that Kaiser Permanente actually saw that relationship in their databases before it was reported. Now, they were looking at it from a quality control point of view regarding their patient population. If they decided to call the FDA because they notice something in their databases and say, maybe you should take a look at it. I would probably still look at that as operation and quality uses and be permitted. If they decided, we are going to sit on this data because we want to publish a paper, then it is going into the realm of research. I would like to see some other levels put on it. That is why it is a very hard line to draw, which I think it is why we never really try to draw the line.
MS. ANDERSON: I am not suggesting that you can draw the exact line but to provide some better guidance about what you consider quality improvement to include. So, I do not know that you can say this is in, and this is out. There are some things that cross that line. Without some kind of an understanding – let me give you a practical example from my previous life where I used to work for a company that was a performance improvement vendor for hospitals. Our contracts allowed us to use their data for research. The time the contract was signed, the intent was to use it to build risk adjustment models. That is exactly how we described research. That is what we did in terms of research. As I was with that company, it was sold three times. What I heard from corporate lawyers was, you can sell that data for research to whomever you want. It really took a matter of the persons who were there when the contract was signed to say that is not what we said. We need to go back. So, I think this issue even though it is really hard, it is relevant.
DR. GREEN: I appreciate this exchange, and particularly your passion for the way you force this issue. I have question for the workgroup. Has the workgroup reached agreement that the following two sentences are correct? Number one, quality improvement and research are fundamentally different enterprises. Number two, data can be De-identified.
MR. REYNOLDS: Paul?
DR. TANG: I would agree with the first statement, and I would not agree with the second statement. I would hope that that is one of the educational things that we can provide with our document.
MR. REYNOLDS: On the second one I think there is a definition of De-identified.
DR. GREEN: Which we know does not De-identify data.
MR. REYNOLDS: I am not answering your question. We know that there is a definition.
DR. TANG: There is a rule to apply. There is not a definition of – Webster's definition of De-identified would me you cannot identify.
DR. GREEN: I am not really asking about the rules or whatever. I am asking about consensus. Is the group of one mind about those two issues? Does the entire group agree that the answer is yes and no? That quality improvement is fundamentally different from research and that actually data cannot be De-identified.
DR. STEINDEL: I would respectfully disagree with Paul. I think the answer is no to both of them. I think a prime example is what we just heard about using data that was sent to a company for quality purposes that was then used for what they called research, which was risk adjustment. I think in a lot of cases when we talk about research, we talk about research as covered from the IRB's and NIH rules, et cetera, which is a totally different area than research of that type of purpose.
DR. TANG: But those are two activities she described.
DR. STEINDEL: I think that that is – there is a continuum there between quality and what he referred to as research. I think that continuum exists even in operations within a hospital.
MR. REYNOLDS: Mike, Justine, and Mary Jo.
DR. FITZMAURICE: I do not think there is a line that separates quality improvement from research. I think many cases use the same methods. You may not have the same sample sizes, but as you get larger and larger, you move from quality improvement to research. I do not think you can distinguish between them. Secondly, I do believe that datasets can be De-identified. De-identified is defined in HIPAA. You can remove the 17 variables, and then the 18th one is any other linking variable. Is that data truly anonymous so you can never link a person's name back with it? Possibly not, but in most business associate agreements and most data use agreements you have to pledge not to re-identify the data, having received it.
DR. CARR: I think that you are raising a issues that are very important. What we are focusing on is how to fix it. So, I agree with Steve that you cannot make a clear checklist of what is research and what is quality. I think there is a continuum, but I do believe that we can oversight such that nothing falls through the cracks and therefore the data is protected on each side. I think that we have something that senior management use of data and operations. I think that is really where we have opportunity because we will continue to debate whether there is a difference. Then again, De-identified, I think it is the same idea. We are now in the new world. There is capacity to re-identify even beyond when we have removed the 17 plus things. So, I think trying to hammer a different definition is less useful than to say, what protections are we going to put in place understanding that there is this grey zone?
MR. REYNOLDS: Mary Jo?
DR. DEERING: I guess I am in the emerging majority, but I also want to state – I did want to observe that in the field of research in at least biomedical research, one of the main emerging threats of research is translational research which is explicitly provided to be fed back to improve the quality of care. So, I would vote for those who say it is a meaningless distinction.
MR. REYNOLDS: Okay, Simon, I think we are going to take a break.
DR. COHN: Yes, I think we are going to give everybody a 10-minute break. We know you want to keep going, but we will go in 10 minutes.
MS. JACKSON: Before we go, just keep in mind there is enforcement now for the building that all visitors and guests need to be escorted even to the cafeteria or to downstairs. So, if you could just align with someone with a badge--
MR. REYNOLDS: But I do think you are allowed to go to the bathroom on your own.
(Break)
MR. REYNOLDS: So we are going to go the last – Kevin?
DR. VIGILANTE: Can I make a comment relevant to the last discussion? I do sort of want to go on record that I do believe that research and quality are fundamentally different and that particularly at the extremes where they are easy to identify what is what. There are cases clearly in the middle that are very difficult to figure out, but just because those are difficult, we should not feel obligated to say that these things are the same. I think there is a danger in that. There was an interesting scheme in how you identify one from column A, one column B at the back. It was interesting that one of the ways of identifying something as quality is that poor research methodologies are used. It was one of the things that went into the evaluation of why something becomes – I think we accept now that in this new world of quality measurement, very sad methodologies must be used. It does not mean it is synonymous with a research enterprise.
MR. REYNOLDS: So, to play off of your question, you said at the extremes. Do we define the extremes and leave the middle grey and make sure that stewardship and guidance and the other stuff we talked about deals with it? How do you see that playing?
DR. VIGILANTE: Well, I will invite others to – I think a couple of things. I think that we should characterize what we mean by things that are clearly quality – part of the quality enterprise and part of the research enterprise where it is easy to identify. I do think that mechanisms to help folks distinguish what side of the line something may or may not be on understanding that it may not always be clear and be able to do that. I think we had talked earlier – there may be IRB-like bodies in larger institutions that take this on because it is just not possible to write guidance at every level that can do this. I do not know what the right mix of things are, but I do not think we should give up on that possibility.
MR. REYNOLDS: Justine?
DR. CARR: Well, two things. I just want to refer to one of the models from MD Anderson in the Hastings Report. So, I will just briefly say it, but different things between research and QI. So, the characteristic existing best knowledge, research challenges that. QI applies it. Principle aims, research tests the hypothesis. QI improves the process. Characteristic principle goal, research generates new knowledge. QI improves advocacy, efficiency, and safety of care. So, it goes like that. They do actually have a body that oversees the clinical quality. So, again, it takes away from – it gives you some guidelines of where things go, but everything gets overseen. It is not like research has all these rules, so let us do QI because there is not that oversight.
DR. TANG: That is why I contribute to joining Kevin's side so that it ties up the vote.
MR. REYNOLDS: Erin has a comment, and Steve, since you made a comment earlier that has created this further discussion, I am going to both allow and require and give guidance that you weigh in here.
MS. GRANT: Justine, to pick up on the point that you just mentioned in terms of citing the MD Anderson Report in the model about the use. Is the understanding that there would be a recommendation that that type of model be in the actual document that we are writing that we say, MD Anderson has developed this model, but there needs to be a model developed that other organizations could use? I think they sort of act for that – there is that need for that criteria. Could it be recommendation not - say, HHS refers to another federal entity or an outside body to help develop that criteria that other organizations could use because MD Anderson is a very large institution. So, they have the ability to have a lot of staff and perhaps have an IRB on staff whereas another smaller organization would not. But having that guidance and maybe having that criteria to use would be helpful.
DR. CARR: I am putting that out there because we have to come to closure on what level of granularity. We have something up there about stewardship, but what does that mean? Are we taking it to a level that there is oversight over quality and operations? So, I think we do have to come to closure on that and how granular would remake it.
DR. STEINDEL: I was very intrigued by when you were reading from the Anderson Report where they referred things as QI. It is much more to quality than just QI. There is quality monitoring, and that falls on one extreme that Kevin is talking about where that is really a quality initiative. How many times a day are the floors mopped? That is a quality monitoring type initiative. Now, what you might see is that there are instances related to that, and you may start thinking, maybe I should start instituting some quality improvement initiatives in this area based on the monitoring data that I have saw. That may lead into research studies. So, that is where the continuum comes in. QI is really somewhat where the boundary is between research and quality. I have a lot of personal familiarity in that area because that area blurs totally in the laboratory where you are actually looking at quality monitoring data on a day-to-day basis. Then you start seeing things when you institute new method. You are doing actual research to test the data, not publishing, but internal research. So, there is a tremendous amount of blurring on what we call folly.
MR. REYNOLDS: So, Steve, you physically stated earlier that there was not a difference. That is what I think has generated some of these discussions. So, help me with that.
DR. STEINDEL: I think what Larry was asking is more or less is the committee, are we clear? Have we reached consensus on what this difference is? Is there a difference? That answer I think is no. I think this discussion clearly shows that we have not reached consensus on what we think that continuum looks like. I think everyone in the room agrees with what Kevin just said. We can define quality on one end and we can define research on the other end. The question is, what does it look like in the middle, and how do we say when does quality turn into research? That we can say.
MR. LANDAU: Usually I do not make comments, but I guess I was encouraged to make a few. The first thing I want to talk about regarding quality and research was I wanted you all to be at least aware of the fact that there has been guidance already published under the NIH website. I do not know whether you all have seen it dealing with the primary purpose regarding the privacy rule. If you want me to read it I will, but I assume you are familiar with it. That is the first point. That is, what does primary purpose mean, and where do you draw the line?
Going back sort of broadly about what Mark talked about regarding regulations and guidance. From ONC's point of view, the key goes back to the scope. I will tie this back together. The scope is to make actionable steps that are practicable. So, regarding quality and research, I think it requires some granularity to include some language that this is what we would like quality to mean including but not limited to. So, you provide some guidance in that regard. So, I guess the bottom line is, what is helpful is the thought of, what do you mean test? What do you mean by quality? I think it is not an exhaustive list, but some type of line drawing would be probably somewhat helpful.
Agenda Item: Review Themes and Issues – Resolve for Report
MR. REYNOLDS: Okay, thank you. Let us go on to the next set of recommendations and then after that we will go through what everybody's consideration is, what we aught to have Margaret working on this afternoon. We talked about it briefly, but we need others' input. So, the last slide on the recommendations is, it talks about transition to the NHIN. We have heard a number of times this morning this whole idea that we had the past, we have the present, and we have the future. So, this is kind of leading to that. And we talked about it being more addressable if functional requirements and demonstration projects are used toe valuate individual choice. Part of this is where we had the opt-in and opt-out and consent and some of the other things that maybe hadn't been brought out as much. So, individual choice, what are the consent options? We heard a lot of testimony on that. Impact of quality oversight and data stewardship including opt-in and opt-out for various uses of data sets, De-identification techniques to determine effectiveness to protect identity and protect chance of re-identification, impact of stronger sanction policies or cell policing, impact of chain of trust mechanisms, education localities, and then working towards inclusive federal privacy legislation and expand the definition of covered entity, anti-discrimination legislation and so on.
So, basically a different structure in the letter. If you remember last time, we started out with the first recommendation being legislation. We felt instead that we could make the first set of recommendations be guidance and other things that can be done with the fact that legislation would be there as where an ultimate outcome could be if it ever does or does not occur, especially since we have already has NCVHS made clear that we believe that there should be some kind of a legislation rather than to start there again necessarily. Start through the guidance as to how we continue this transition, not necessarily say right up front, here is the legislation. If you cannot do that, pull our second idea. So, that is why you see this listed a little bit differently than it was. Not to demean or lessen the call for legislation, but to understand that there is a big world. As we have said, there is a world that has been changing fast. If there were to even be legislation, there is going to be a lot of world going on between now and that legislation and to make sure that we try to make some kind of an impact on that guidance and that transition between now and when that would or would not happen. With that, I will open it for discussion of these items.
DR. OVERHAGE: A couple of things that are near and dear to my heart. One is I worry a bit about a recommendation to – One thing is I think it is important to recognize where ONC is and their process and that the trial implementation contracts have been left, but not announced. And changing the scope of those would be challenging. So, I think we have to think a little bit about what this could mean. What is the outcome of this? Clearly they could change the contracts and what not, but adding this into the scope of work would be a fairly significant change from where they are today. So, I think that is one question. So, does this go in the five-year time horizon? Is this something they should come back to in two years, or is this something we feel so urgently that it aught to get baked into the current route of trial implementation work? Maybe we do not get that specific, but I think it is a question that we have to understand what we are recommending.
The second thing is that this gets really tricky because I think it depends on the model that a nationwide health information network evolves into whether any of this applies or not. For example, in the model that we have developed locally that we favor the exchange that does not have any data and does not do anything with the data. It is always the institution's data. I think the general direction that ONC has gone has been network of networks that how far that goes is a question that where that data is not in the middle anywhere. So, it begs a little bit of an issue of what this means in that kind of a model.
MR. REYNOLDS: Well, I think that is the key point. Margaret?
MS. AMATAYAKUL: As we transition, there will be even in a network a networks scenario. There will be more ability to aggregate data, to collect it into one place even if it is not in your location, but it is going to be somewhere that the NHIN puts it to.
DR. OVERHAGE: Not necessarily.
MR. REYNOLDS: But not defined – that is what part of this is trying to say.
MS. AMATAYAKUL: But at some point you try to bring this together to do comparative analysis, et cetera. Right? At some point, you have to bring it together even if it does not reside there for any period of time. You still have to bring it together to work it. So, is there a way that we could say when that happens, facilitate it by this network of networks. Would that help?
DR. OVERHAGE: I need to think about it more. I think it does help. I guess one of the – the reason I say I think I have to think it through a little bit more is in some models anyway, it is not an entity doing this. That is what makes this a little bit tricky. What I mean by that is, it may be three covered entities who decide to collaborate for certain quality improvement efforts. They each sign a BAA with a single entity that as you describe virtually merges the data for the purpose of generating a number and the data goes away. So, who does this apply to? Who does sanction policies and self-policing apply to? The covered entities?
MR. REYNOLDS: Yes, but I think what is key – we did at NHIN an effort as to what the functional requirements are going to be, and there are pilots, but there has been no acceptance that that is it. We are also in the midst of a privacy letter right now that we are going to work on this afternoon. The reason this group is not continuing where we are talking about what people can and cannot do with data and what we think they could or could not do with data. We also heard significant testimony about this idea of opting in and opting out. What is the NHIN? Nobody knows exactly what it is or anything else.
So, I think there is no question that if someone gave us four models and said it will not be any more than these four models, I do not think there is any question – But right now as we continue to hear testimony, we have to take that testimony into consideration. As we continue to realize that people are going to want at some point – We are all on board about some kind of way that you are either in or out or involved in the NHIN because to those of us around the table, it is clear that this would be under a covered entity or something else. But anybody else that is not close to the NHIN, it is still somewhat of a nebulous discussion of a technical nature. The network of networks does not go all the way out to some consumer understanding of what just did or did not occur. So, we are trying to take these other things that we know are issues that have been put on the table to us. They may not be as deftly worded as we may want to do them. I think we need help on that, but trying to say that we are transitioning into this thing and there are issues that are on the table and that is why we talk about the demonstration project. So, do they change the current demonstration problems? Probably not. Do they change as we continue to think and as they continue to find it? It may. So, I think that is where we are trying to go with this.
DR. OVERHAGE: I think this disappears. The reason I think this is completely a way is we should address those issues because this is getting into the mechanism and process of something rather than the outcomes. I forget who was talking before about we need to focus on what we want to have happen at the end as opposed to the how we get there. I think this is an example of a how we get that piece. Like you say, we have no idea what shape it will take if it will take shape or whatever. Maybe we should be saying instead of having a separate section here, going back to each of our other parts and saying, thinking that projecting forward there may be a nationwide health information network, what are the implications for all of the other pieces that we talked about? And not hold them out here. I think that really helped me Harry.
MR. ROTHSTEIN: I have a question. For the last four bullets of the first big bullet, I am clear how they relate to the earlier part of the report and recommendations. I am not clear how they first two bullets relate. If we are going to include those, I think we need to say why we think that is important. In other words, we have never made the arguments in the paper. I may have missed it. That individual choice is a goal of ours in the context of this report, and now we are recommending that we have these pilots to further individual choice. So, I think if we are going to go this route, we need to lay the groundwork better. Maybe I am just totally off. What is the connection with our other NHIN stuff? That is the link that I am missing.
MR. REYNOLDS: Well, the other NHIN stuff we did where we had the functional requirements. The farthest functional requirements, as you remember, we stopped short of opt-in, opt-out and some other things. Okay? So, those things were on the table. We heard testimony. Now, there is two ways we can go about this. We heard significant testimony about new systems that would consent differently. We heard from consumer advocates about consent. We are saying that if you go through this structure, and the reason we put it the way we did, we are saying that we are making operations include some of this quality improvement. Then there is going to be this thing where it is going to go outside into this thing called the NHIN. Is that where we pick up these other things where people are saying, I want this kind of consent. So, that is a picture that is being painted. We heard an awful lot of testimony that there is a concern. The only thing I would hesitate on is Marc's earlier comment. We make a lot of testimony go away. We make a lot of opinions and other things go away if we completely removed it.
Now, I like your idea of thinking about it throughout, but the point is, we did ask for it. We did get it, and we did hear clearly as we said earlier. When it goes to the NHIN, some people may want to be in, some people may want to be out, and other things. We listened to Mayo. We listened to a lot of other people. So, the point is, this is a significant subject that if you start from HIPAA and you build up from operations, you do not pull it in until kind of now when we go to something a little bigger, it becomes some kind of an elephant anywhere between 200 and 900 pounds sitting on the table, and we have got to do something with it. That is why this discussion --
MR. ROTHSTEIN: So, Harry, I am just trying to get clear. The purpose of this then – So are you basically saying that notwithstanding all of the other stuff in the report which addresses at least the initial uses of information by covered entities as we contemplate the wider dispersion by the NHIN, the additional issues that are raised, some of which we talked about earlier, but these are some of them and we need to do research.
MR. REYNOLDS: That is what we are saying. That is kind of where we are going.
DR. STEINDEL: I think a lot of this discussion has clarified the first part of my comment. I was having problems with this transition to an NHIN sort of coming out of the blue. But that has been kind of explained and clarified in the discussion that we have now and how we might reword things then.
My next comment is just a practical observational comment. Mark ground some of these proposals to the demonstration projects coming out may be a feasible approach, but my observation has been every time NCVHS recommends that we do demonstration projects and evaluate, we send letters on a one-year, three-year, five-year basis asking why hasn't it been done? So, I just wonder about the usefulness of a recommendation like this.
DR. CARR: I agree. I go back to what Mary Jo recommended. Maybe as we can figure this report, we follow what Mary Jo said. We actually have set the stage to say that it is a new world and there are new issues that were not envisioned by HIPAA, but that we address each of these issues about what is the future state. What is the electronic state? What is the evolving state? What are the gaps and grey zones? Then, how do we address them? It might be something learned from a pilot. It might be holding hearings and Quality Workgroup suggested that we hold hearings more on quality versus research. It would be a variety of places to look. I really think that this model of here is the issue future state, current state, and gaps and needs and recommendations will help us very much to stay on top and to be sure that we have addressed – and also to help us kind of say why opt-in, opt-out is not something we can do today with claims data or whatever, but that we are building toward it and we are thinking about it and learning so that as we are ready to get to it, we are well informed.
MS. AMATAYAKUL: I was going to only add in addition to as Mark described, I think it really was the intent, and we can elaborate on that. I think Kelly also asked us to make a list of things that could be evaluated in some demonstration projects. It does not mean they will do that necessarily, but that was one of the purposes.
DR. DEERING: Having read the RFP that went out for the trial implementations and through other anecdotal evidence, which is not data. It is a fact that what the NCVHS says has an impact out there. I do believe that functional requirements were in the RFP. In other words, part of 7.2 has already been accomplished. It was written into the RFP. Secondly, those who are recipients or even applying for these, they listen to us. These things that are out there that are the results of thoughtful processes, these are extraordinarily valuable. So, we should never hesitate, I do not think to put them out there because they can be voluntarily picked up regardless of whether they are written into a requirement by HHS.
DR. GREEN: So, what I just heard is that there is quite a bit of consensus following Mary Jo's advice about this earlier articulation. The way I heard Justine say it is it is a new world. We have got some suggestions about the directions that need to be followed to that new world overall about where this comes out and meanwhile we still have to get along and get things done. We have got some suggestions about how to get along while we are awaiting the birth of the new world. Is that the deal?
MR. REYNOLDS: Yes. I think another thing to play off some of the other comments, as we listed some of these things however we end up saying them, we did hear testimony on them. The important thing is, it adds to the debate as pilots are put out there. So, Mark in your case, you have a certain structure. If your structure fits and answers that and fits with HIPAA and does the other things, then good. There may be four other things that are set up that might not be able to pass some of these tests or do some of these things. Then, back to what we heard from the individual is, somebody please care about me. Somebody please care about my data in one way or another. As this thing continues, which a lot of us have been working on for a long time to figure out exactly what it is going to be. I think that is part of what we heard, and I think that is part of our responsibility. So, it is not to be prescriptive, but it is clear to say that these issues do not go away. The structure of whatever it turns out to be has to at least use these as some kind of filter. If whatever turns out to be that meets all these criteria without doing anything draconian past what is here, then fine. At least make sure these things are in the debate just like our functional requirements. It is nice that they are in RFP's. That is what we are trying to get to here.
MS. GRANT: Following on that comment, something that Margaret referenced in terms of what Kelly had stated. I think what they are trying to possibly understand is whether or not consumers do get to choose whether or not their information is available for quality measurement, improvement, or other secondary uses. It is not necessarily yes they do, and here is how you do it. It is sort of answering that question and throwing out opportunities for how you may measure that impact and when they do or do not.
MR. REYNOLDS: Again, I think that is why we started like we did. When you say that most of the quality fits under operations, you answered that question. Then as you move further out where we said research, here are some certain things. Now you go to the next step, which is something none of us can put a hand on, which is the NHIN exactly. We are saying there is another set of things you have got to consider. That is all that is being said as an approach. That is really the steam of this being built as we go through it.
So, that ends our slides. What we would like to do next is we are going to just touch base briefly. Justine already had some clarity to things. Most of us are in a privacy hearing this afternoon. Margaret and others are going to have a little time to work on what we are going to do. Rather than have Margaret spend her afternoon going back to the front part of the document and making another revision, we are going to have her focus on these recommendations, especially on the things that we dealt with today. The suggestions you made as far as the expected and unexpected and the commercialization. In other words, take all this list of stuff that we heard today and try to build it into these observations and recommendations. So, once we agree that that is where we are going, we can go back and adjust individual pieces. We know we are going to shorten the document anyhow, but go back to the front and make sure that becomes a crescendo. It is not just a front that does not match the back. That is what we would like to see. So, tomorrow we look at it again.
MS. AMATAYAKUL: By looking at it in terms of the recommendations, are you looking at high level slide view or specific? I would like to get down to the specifics.
MR. REYNOLDS: Specifics are fine. At that point tomorrow then we would spend the morning just going through the actual wording of the recommendations so we are not pulling it back up and saying, oh by the way, this is what we really mean. So, you would see real words recommending real things. Yes?
DR. CARR: Would we be wanting to start with modules? Here is an issue, current state, future state, and recommendation. We have it somewhat modular, so it would not just be the recommendations. In the absence of identifying where these are future states and what are the gaps, it is hard to say how the recommendation helps. I would see it sort of modular saying, here is an area we are going to focus on. This is okay. This needs work. This will be addressed in the future. Here is our future state. My question is, what defines the modules? We have heard two things, we framed it for two weeks in terms of, and here is HIPAA. Here is what falls outside of HIPAA and how we work within HIPAA. We also heard a recommendation of when we put together uses of data. I guess I am saying, what is the framework for getting to each of these topics? Is that a possibility?
MR. REYNOLDS: Comments?
DR. GREEN: I am going to take the afternoon and tonight to restudy this letter again and come back in the morning better – I have a need to understand what Justine just said a little better. I am glad we have tomorrow morning to come back to it. I do not have this fully digested. Can I ask for clarification about whether or not we are going to be looking at the report that say something akin to this: the rules and regs for quality improvement really are not working very well. The rules and regs for IRB's are not really working very well. We hear that and understand that. There is actually going to be this new type of thing. We are headed toward some sort of new institutional oversight process to accommodate these findings that we have. I do not see that in here. I am wondering if this is beyond scope? Is this in scope? Are we going to make any commentary about that?
MS. AMATAYAKUL: I think what I was initially wanting to say was, to me the observations and recommendations kind of go together. So, the observation is going to have to be structured whether it is structured from sort of the HIPAA perspective or this use perspective. Also with the, where is today? Where do we want to be? What are the gaps? Still, I think the outstanding question is, is it HIPAA or is it this use? So, that would be helpful for me.
MR. REYNOLDS: We had had some discussion and Christine put forward an idea of rather than the approach we are taking, maybe looking at it from what are the uses of the data rather than the relationships. In other words, we had covered entity, business associate, and so on. Or should it be looking at it from the uses of the data? So, that is what on the table, and that is what is being considered.
DR. OVERHAGE: If I could say a word in favor of the use oriented approach as I think about this. Two things. One is that we start out and say do not use secondary uses because then you need to talk about each use. Then we have to turn around and try to lump them all together. It has caused us some pain. The second thing though that I think is more important is it seems to me that we talked about this threshold where the boundary of unexpected or unanticipated use seems it lends itself more to that where there are some things that are clearly expected and anticipated use – clearly, if I am selling your data on the internet, that is not expected. Then there is some grey zone in between that we probably cannot resolve, but maybe we can at least say, here is a set that can clearly fall in this here. Maybe there are some things in the middle that we aught to talk about more.
DR. VIGILANTE: I think this goes back to one of the conference calls we had when we were thinking on how we were going to write this report. One of the things that we did talk about was providing concrete examples. I think we have a lot of abstraction here about a lot of words that sound very similar to each other. I think if we could go back to that earlier hypothesis that the concrete examples would be clarified in certain cases. That is something that is very focused. Without a lot of room, without taking up a lot of space might be very helpful to illustrate what we mean and what is in and what is out in certain examples.
DR. TANG: Just to go on what Marc was saying. I think we can and should be explicit on the uses. If there is a grey zone, we should turn it over to the consumer patient to decide.
DR. CARR: So, I am just trying to say then how we would put this together. So, use then would be kind of the rose would be under identifiable data. It is TPO quality, research, public health, and all of that. On the so-called De-identified non-HIPAA covered uses of data, how do you define these uses? For sale? For aggregation? How would you define these uses? Then you would modify what is expected or unexpected. Then if there is a problem, what would you do? I am just trying to get a list of uses.
DR. TANG: One of the issues you brought up was this term aggregated and the term De-identify. I think there is a big tendency towards going away from relying on De-identification as a way of protection. I think you probably can define aggregate data in a way that can be not re-identifiable. I guess I have to get back to you on the uses.
MR. REYNOLDS: Marc?
DR. OVERHAGE: I was just going to say, I do not think it has anything to do with De-identified or not. That is a whole separate dimension and really has to do with appropriateness and patient risk. Rather I think the kind of uses are things like academic research. We may have to wordsmith to determine academic. Public health and patient safety surveillance is a use. For marketing to the individual consumer or physician are uses. Those are the kinds of things that come to mind for me as categories of uses. The tricky thing of course is to cover the ground without having a list of 9,000 uses.
DR. COHN: I would apologize for jumping out of the conversation. I guess I am struggling a little bit with the distinction in the conversation we are trying to have here. I am just looking at the observations and recommendations. I would completely agree with everyone that we need concrete examples to help ground the recommendations and the observations and all of that, but I am struggling. Once again, I guess I am just reflecting the hearings that we had about the fluidity of the uses of data. So, I am just not sure that trying to categorize or reframe all of the recommendations and observations around uses. We actually have discussed uses. We have research versus quality. We talked about TPO. As you start dividing things up finer and finer in uses, suddenly all the recommendations apply to all of the uses. So, I am just not sure if that really helps us a lot. Maybe I am off point on this one. Margaret if you think I am off on this one – I guess I am just trying to argue the middle ground here in terms of how we can ground things in uses, but not completely restructure everything.
MS. AMATAYAKUL: It seemed to me that early on there was discussion about following the data. So, to me that is sort of the uses. Then I think there was discussion that any time you follow the data, the action has to be conducted by an entity. The jurisdiction resides in an entity. So, it falls back to as a covered entity, business associate, or whatever. I am concerned that from a practical standpoint, we could be more diligent in each category-covered entity and so forth to describe different kind of uses within that and the range of uses. I am not sure that restructuring it solely on use will help.
DR. STEINDEL: A very brief comment. This is to refer to Simon and now Margaret's comment. My comment is ditto. Those are the observations I was making as well.
DR. TANG: The usefulness of the first exercise, which was to make sure we have a checklist to bounce off. One of the things was the clear testimony we had heard was people were concerned when their data was sold. So, instead of trying to innumerate all of the uses, the areas that we need to concentrate on is where there is financial benefit. The reason I say it that way is because I am reminded of the AHIC group and there was questioning of this one testifier, and they swore they did not sell the data. It finally got to the point of, we share it with our sponsors. So, there are ways people have gotten around couching what happens. So, that is why I am calling it financial benefit. When there is financial benefit that applies to someone other than the subject of the data, we need to have an explicit way that the consumer can make the decision in these grey areas.
DR. DEERING: My comments will come from a communication perspective. The first one will be to just support the utility of a use approach as opposed to a stakeholder approach. They both have value because you want the stakeholders to recognize themselves. So, there is a clear communication utility there. Oh, this applies to me. On the other hand, the strength of the use approach is exactly as Paul had said. There are clearly only one or two uses for which there is considered to be true problems. Everything else is really acceptable, you just have to explain it and tighten it up here or there. We do not have to write 30 pages about it. It is really pretty fine. Let us just tell people what we are doing and make sure there are no sloppy loose ends and that it is being done appropriately. Then there is this one big thing. I do not see any other way to effectively address that other than somehow through a use-based approach.
MR. REYNOLDS: You mean that one specific category?
DR. DEERING: Well, somehow to make sure that that comes out. I will go no further. I will just leave it there.
My second observation was that some people want to be very concrete, but then we want to project this future desired end state. The very first NHIN Report had scenarios that were considered as useful as anything else that was in that report because it was trying to project this future end state. The workgroup put as much effort into those scenarios as it did into the recommendations. I do not think that anything is more than one column on a page. Since we want to project the benefits of the new uses as well as the harms, we could take a positive approach and show what is needed to enable it. You could have one that shows protecting from the greatest harm of all, which is the sale of one's data, which is unexpected.
MS. ANDERSON: Just for clarification too, I agree that both matter. Essentially, you have to kind of build the matrix to see where they apply. I think a first recommendation was to try to build a matrix because I think it would help us think about, business associates only have so many uses that are within their business associate agreements normally. They may have agents that may have different sets of uses. I think my comments were particularly whenever you are introducing new oversight for accountability to be specific about to whom that applies by considering whether or not that entity will have different accountability for different uses. So, that way, when you are imposing what might be accountability and new burden that they are applied with the spirit rather than be blanketed and/or too narrow. I think that is where I was coming from.
DR. COHN: I think both Justine and I were actually looking at Appendix D, which is the risk benefit analysis framework. I do not know if that begins to address some of what we are talking about. I guess I would wonder about that. Number two, I guess I am just seeking clarification from Paul a little bit about the framework of what we have here versus what I heard him mentioning. I think what we were talking about, the way we were trying to address unintended, unexpected uses of data was at least to my view sort of a multifactorial approach. It was increased transparency. There was also the view of better data stewardship within healthcare organizations and tighter business associate relationships. Then we got into the issue of what I want to describe as consent management. Trying to figure out how to do them, at least what we had described in the document was almost more of like, it is a really good idea. We need to investigate, evaluate, do demonstrations, see where it is appropriate and how it might work as opposed to just saying, everybody aught to be able to opt-in or opt-out.
I am just reflecting against what you are saying. Am I even describing this correctly? Secondly, is this something people generally agree with the way we have been framing this particular set of issues? This is obviously a key issue about this unintended consequence.
DR. TANG: Christine brought up another reminder in terms of one of the discussions we had, which I think resonates with a lot of folks, which is the position of accountability. So, instead of – and I think it is a nice marriage of what you said about consent management, which is really touch, burdensome, and ineffective. So, rather than do that, it is sort of like the pornography thing. You cannot define it, but you can recognize it. In truth, most people can recognize it. This is not something I would want people to know that is happening.
So, I would say that this grey area that basically if people are accountable for what they are doing with the data – it is really going to be the financial benefit occurring to others than the subject of the data. The organization that is going to be releasing this or disclosing this has to be accountable for the harm that is caused by it. As I say, people are pretty straightforward even though we cannot innumerate the thousand uses – what is likely to be unexpected and potentially harmful to the subject of the data. If they are willing to take accountability, that is one operational test that is not particularly burdensome. I think that we are trying to be practical, yet effective.
MR. REYNOLDS: I think if you think through the document, I think what I am hearing as far as uses are concerned is people want more discussion about what the uses are because the actual recommendations in the framework more than likely are going to be the same. We still are saying we are basing it on HIPAA, but we are not spending enough time – some of the subjects that were in here were more individual subjects and not started with the unexpected and the expected. So, it is not telling that story up front. It is just saying individual things. In the end we go, we are going to start with the HIPAA structure, and here is what we are going to do.
DR. TANG: It may be a new way of framing the problem. That I think is a contribution of this report and this activity.
MR. REYNOLDS: If you go back for example to the very first set of recommendations we have on these slides where it talks about – we still might base it on the whole HIPAA thing. That is under stewardship now more than it is under HIPAA. Because of the uses we described, that is one of the steps that allows good stewardship, things that are already in place.
DR. TANG: Another thing that came up, I think we are moving from an organization based HIPAA to a data stewardship based on expected use. I think that is just a new framework.
DR. CARR: So, Simon mentioned Appendix D. It begins to get at this matrix with some adjustments. So, I wanted to also make note of the fact that do we need this other matrix on source of data and all this stuff? I do not think so. When we chose the glossary of terms in the taxonomy, I would just like to suggest that we identify what is the net we are casting to include a term in that glossary. Is it any term we have heard in any of the hearings? Is it any legal term that comes up in HIPAA? Is it terms that are confusing? I feel like we need to say why they are in here because there are some terms in here that maybe we are not addressing but we are putting in here. That might be confusing. I would just ask for a strategy about what goes into the glossary.
DR. COHN: This is good. We were talking last night over dinner and we were talking about really what we are trying to do is enhancing HIPAA. We talked about it as a new framework. We actually do have recommendations for a whole new framework, which of course requires legislation, but we are also trying to deal with whatever you describe as practically possible, which means taking current vehicles that we have and significantly improving them to make them capable of dealing with the new world. I think we are in agreement in spirit of what we are talking about here. I guess I just prefer – recognizing that we are trying to take this vehicle and outfit it for the new world in some way. Hopefully we can mention that in here.
Now, with that, I know we are at 12:00. I know Margaret has a lot of work to do. As we are talking here and recognizing that it may be that the Appendix D, even though – I am actually wondering – I mean, we tried to put in the recommendations and observations, and it was such a show stopper because it was just sitting right in the middle of the recommendations.
DR. DEERING: One thing that I have been struggling with Margaret with trying to figure out is it seems to me that the one thing that is missing from Appendix D is a statement of the current attributes for the data and how we get that in there. It is not just what you want to do with it. So, that has already been taken.
DR. COHN: I think taking a different approach to getting the same information. So, thank you for giving us a fresh set of eyes.
Now, let me just sort of talk about the rest of today and tomorrow. Around 1:00 or 1:10 we are coming back as Privacy and Confidentiality. Margaret is going to be working on aversion. I know some people will be calling in tomorrow that are in person today. We will try to get a next version out sometime later today would be – maybe. So, Paul, check your e-mail.
Now, I think we will just have to judge tomorrow at the end of the day about this plan about when we can more publicly distribute advance drafts of this document. I said we all have to be nodding our heads and feeling that we got it right. We also – I think there is an urgent need to make sure that we get some secondary input in all of this. So, we are just going to have to balance that and make judgments tomorrow.
With that, I think we should adjourn until 8:30 tomorrow morning for this group. Others will be back here after lunch. Thanks.
Whereupon, at 12:07 pm, the subcommittee meeting was concluded.