[This Transcript is Unedited]
National Center for Health Statistics
Hyattsville, Maryland
Agenda Item: Introductions and Opening Remarks
DR. ROTHSTEIN: Good morning, everyone. My name is Mark Rothstein. I am the Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, and Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. The NCVHS is a federal advisory committee consisting of private citizens that makes recommendations to the Secretary of HHS on health information policy.
On behalf of the members of the subcommittee and its wonderful staff, I want to welcome you to today's hearing, which is titled Privacy Protections for Medical Records of Non-Covered Entities. We are being broadcast live over the Internet, and I want to welcome our Internet listeners as well. We also have several people who are with us on the telephone, and we will hear from them shortly.
As is customary at our hearings, we begin with introductions of the members of the subcommittee, staff, witnesses and guests. At this time I would invite subcommittee members to disclose any conflicts of interest they might have.
I will begin by noting that I have no conflicts of interest, but before proceeding to the rest of the introductions, I want to welcome the newest member of the subcommittee who is with us by telephone this morning. That is Leslie Pickering Francis. Dr. Francis is chair of the Department of Philosophy and a professor of law at the University of Utah. She is one of the nation's leading experts on ethical and legal issues surrounding health privacy. She has served on health IT advisory committees in Utah. The members of the subcommittee may recall that she testified before the subcommittee at our hearing in San Francisco in 2005. So I want to especially welcome Leslie.
Now I will take the opportunity to get the rest of the introductions.
(Whereupon, introductions were performed.)
DR. ROTHSTEIN: Thank you, and welcome to everyone. This afternoon from 2:30 to 2:45, members of the public may testify for up to five minutes on issues relating to the topic of today's hearing. If you want to testify, please sign up at the registration table.
Witnesses have been asked to limit their initial remarks to 15 minutes. After all the witnesses on a panel have testified, we will have a time for questions for all members of the panel. Witnesses may submit additional testimony in written form to Maya Bernstein, lead staff to the subcommittee, within two weeks of the hearing.
At this time, if you haven't done so already, I would request that witnesses and guests turn off their cell phones. Also during the hearing, especially given the logistical problems we have already encountered, I would ask you all to speak clearly and into the microphones, so that those listening on the telephone as well as on the Internet can hear us.
To introduce the topic of today's hearing, I want to call your attention to the NCVHS letter to the Secretary dated June 23, 2006, specifically recommendation R-12 on page 11, which I am sure all of the subcommittee members have memorized, but for everyone else's benefit, I will quote it.
"HHS should work with other federal agencies and the Congress to insure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers and schools."
The subcommittee has attempted to follow up on this recommendation by getting a sense of the range of entities that would be covered by a more commercial health privacy law or regulation, their current regulatory and professional obligations and the practical implications on their operations and on the individuals whose health records they use.
At our hearing in September of 2006, we heard from the representatives of the life insurance industry, occupational physicians and school nurses. At our hearing in November 2006, we heard testimony from representatives of the financial sector. Today's hearing focuses on entities engaged in activities associated with health care but currently not subject to the HIPAA privacy rule coverage by virtue of the fact that they do not bill for their services or for other reasons.
Quite frankly, in preparing for this hearing, I was struck by the vast number of health related entities that are not covered by the HIPAA privacy rule.
We will hear from two panels this morning dealing with this issue. Then in the afternoon we will consider the statutory authority under HIPAA to regulate covered entities and explore whether HHS has the authority to define health care providers more broadly, or whether Congressional action would be needed to extend coverage to some of these providers in accordance with our June recommendation.
At this time I want to welcome our first panel. I would note for the record that the schedule has listed Dr. Marshall from WebMD, and he is not available to be with us this morning. So the first panel will have three witnesses, and then at the end of their statements we should have ample time for questions and discussion.
So I want to welcome the panel and our first witness, Carolyn Walton.
Agenda Item: Panel I: Non-Covered Health Data Benefits and Services
MS. WALTON: Good morning. Thank you. On behalf of Walmart, I appreciate the opportunity to provide both written comments and enter into discussion with you this morning on this important topic.
Walmart is based in Bentonville, Arkansas. We employ 1.8 million associates around the world. More than 1.3 million of these are in the United States, making Walmart the largest private employer in our country.
There is no issue facing the business community in America that is more significant than how the public and private sector will work together to address the national health care crisis. This is both a fiscal and a quality of life issue for millions of hard-working Americans.
Walmart fully endorses and supports the initiatives set forth by the Administration to promote price and quality transparency, to drive health IT standards, and to provide options that promote quality and efficiency. President Bush and Secretary Leavitt, and I'm sure you are very familiar with this, have put forward a vision that says, in the Secretary's words, that would create a personal health record that patients, doctors and other health care providers could securely access through the Internet, no matter where a patient is seeking medical care.
With 1.3 million associates in the United States and our company health insurance costs growing at 19 percent per year over the past three years, we certainly support these initiatives. At Walmart we are committed to bringing about solutions to some of the most pressing health care challenges facing our country's working families. We have made this a major focus of the last year. More affordable health benefits improvements are just one example of that. We are making a real difference for our associates, our customers and the communities we serve, and we are building on those efforts.
That is why Walmart along with several other large employers who are concerned about the rising cost of health care and concerned about inefficiencies in the current system, are coming together to form Dossia, a new nonprofit organization that will provide a framework for electronic personal health records. With employers paying almost half of all U.S. health care costs, Dossia will be an important component in making the health care system more efficient and effective, eliminating waste and duplication of effort on behalf of consumers and providers.
I would like to begin by speaking briefly about electronic personal health records in general, and then I will move to speaking specifically about Dossia.
Electronic records allow individuals to manage an extensive and comprehensive record of their personal medical history, and ultimately can receive the best possible treatment. These records can help eliminate duplicate medical tests, erroneous or lost information, help reduce administrative costs and help prevent thousands of serious illnesses or even deaths that result from prescription or other medical errors every year. Because these records are electronic, there is no paperwork to lose and no files to transfer.
For an example, an associate and his or her doctor can review recent prescriptions and track office visits. Doctors can evaluate past Xrays, immunizations or screenings and make more comprehensive decisions about the proper course of treatment, avoiding duplicate or unnecessary tests. A record of a patient's medical history will be available to them and to their doctor, saving money and saving lives.
There has been a tremendous amount of interest in the issue of electronic medical records and hospital and doctor groups have long supported efforts to computerize medical records. However, little progress has been made due to financial and technological constraints. As a result, today only a small percentage of doctors in the U.S. use a completely electronic recordkeeping system.
Dossia is a first of its kind collaboration between Walmart and other employers, and it represents an important first step toward bringing greater efficiency, quality and transparency to the U.S. health care system. Dossia will provide Walmart associates and employees at other founding companies with a framework through which they and their doctors and both build and maintain private electronic personal health records.
The mission of Dossia is to empower people and their doctors to be active partners for health, by providing secure, convenient access to lifelong health information. Dossia's objective is to transform the U.S. health care system, reducing waste and facilitating better care by developing and making widely available a lifelong personal health record.
Employee participation as a Dossia network user is completely voluntary. At the request of employees and other eligible individuals, the Dossia network gathers health data from multiple sources. Once gathered and secured, it is stored in a decentralized database. The health information is continually updated and is available to individuals for life, even if they change employers, insurers or doctors.
Electronic health records provided through Dossia will be personal, private and portable. They will not be tied to an individual's employer or health care provider or to their software. This will provide choice and differentiation for both employers and consumers. Individuals will own their personal health record and can decide who outside of their doctors has access to that medical information.
Employers will not have access to their employees' personal health record. Dossia is hosted by an independent not-for-profit institute, creating a barrier between employee data and outside parties, including the founders of Dossia. Quite simply, Walmart will not be able to view associates' personal medical records. They will be 100 percent private.
In the initial stage of the program, founding members' employees will have access to this service, and over time it will be expanded to include more and more health care consumers. Currently, Dossia's founding members include Walmart, Intel, BP, Pitney Bowes and Allied Materials. Together employees at these firms represent about two and a half million U.S. health care consumers. Participation in Dossia is open to other employers who are interested in bringing electronic health records to their employees.
I would like to spend a moment talking about how a personal health record is developed through the Dossia framework. There are many different groups and entities that offer personal health records, but Dossia provides what is missing today in terms of portability, accessibility and transparency. Dossia is based on the Connecting for Health common framework, a set of design and policy standards established by a collaboration of industry stakeholders. It includes consumer advocacy organizations, physician groups, insurers, technologists and certainly privacy advocates.
Connecting for Health is founded by the Robert Wood Johnson Foundation. The goal of the common framework and of Dossia as the framework's first real world deployment is to provide a robust, secure and flexible data capture and authentication system through which consumers can aggregate their health information to create an independent lifelong personal health record.
The unique Dossia framework gathers health information on behalf of the individual from various sources, and it stores it within secure databases. Dossia's open architecture will support multiple personal health applications, allowing users to organize and summarize the information in ways that are most useful to them.
Health records will be secure, they will be private, they will be accessible only by the individual or by others to whom they have granted permission. Records will also be portable, enabling individuals to continue using the records even if they change employers, if they change health plans, or if they change doctors.
Dossia enables an individual to develop a personal health record by two means. First, they can enter the data themselves and enable the system to search and securely aggregate their individual health data from a variety of sources. Once Dossia is complete, it will begin drawing information from all available electronic sources in the health care system on behalf of the individuals who request it.
But despite all our efforts to build the broadest possible network, a tremendous amount of medical information is going to remain on paper for years to come. So as a result, Dossia will allow patients and consumers to capture and store scanned images of any documents they feel are important and they one day want to share with their caregivers.
In the testimony that is submitted, I have included some quotations from a number of other sources regarding what they are saying about electronic personal health records. In the interest of time I will pass over those so that you can review that in more detail later.
Moving to the topic of trust and privacy, we all know that trust is a vital component of any health care initiative or relationship. That is certainly true for e-health initiatives. As discussed earlier, e-health has enormous benefits for consumers, but if individuals do not trust the system, they won't use it. They won't provide complete information or otherwise reap those benefits.
Trust in how medical information is handled could be improved, even in regulated areas. Surveys continue to show that significant percentages of consumers are not as confident as they should be that health records will be secure, and that they won't be shared in inappropriate ways.
EpicTide, a security provider for the health care information, reports in its December 2006 survey that 98 percent of consumers believe that health care organizations should protect medical records, but that only 40 percent feel confident that providers do indeed secure those records. This is consistent with other surveys that have been conducted since 2000. There are also increased reports that medical identity theft is on the rise and given the need for trust in public concerns, personal health records and other e-health initiatives will need to focus on this important issue.
At Walmart we take very seriously the privacy of our associates and the privacy of our customers. Trust is a focus for our initiatives.
I would like to speak first about some general privacy principle for e-health initiatives before turning to Dossia in particular. I thought it would be helpful to put personal health records in the context by framing some key privacy principles that seem to be common throughout many of the existing e-health records. Then I will discuss unique aspects of personal health records in more detail.
For purposes of this discussion, I am happy to use the definition that your group submitted in the June 2006 report. Health information privacy is an individual's right to control the acquisition, uses or disclosures of identifiable health data. This is a good definition for privacy in other contexts, too, and it shows the distinction with security.
Privacy involves the deliberate choices in policies afforded to and exercised by the individual, by the entities the individual deals with regarding managing their health information, Basic privacy principles include the fair information practices of notice, choice, access, security and redress. As the report notes, control is a concept that overlays e-health initiatives and particularly personal health records.
Notice in general concerns how the individual understands how the collector manages information, including such things as its acquisitions, its uses, disclosures, access and security. Choice concerns options that individuals may exercise regarding data management. Examples include where the records are contained in an e-health system, or who has access to health records. Access concerns who has access to that data. Individuals should have access to their own health information conveniently and affordably. Security involves how the integrity, security and confidentiality of health information is protected. Finally, redress concerns how an individual can ask questions or file complaints about the data practices. How data is managed should be transparent.
Personal health records offer unique privacy issues and certain privacy enhancements. I will first discuss personal health records as their own system, and then personal health records as part of a network.
With personal health records, by definition the individual controls more aspects of the system. This starts with the decision whether or not to even participate in the personal health record at all, as well as exercising control over access to that information. Simply put, the individual is the driver of his or her health information.
Given this model, I would like to describe some examples about how fair information principles will operate in the personal health record context. The first is notice. The main issue with notice is how to communicate data practices and how to make that information effective rather than simply making it be a box that is checked as to whether or not that information is read or not.
With personal health records, individuals need to have a basic understanding of how it works before they sign up for and before they use the system. Personal health record models will need to focus on the communications and notice aspect with some robustness.
Other examples are choice and access. Personal health records give individuals a new level of access. Never before have they had access to their health records at their fingertips at any given time in quite the same manner. This level of access will allow the individual to check their records and update them for completeness and accuracy. Not only do they have immediate access, but the individual can determine who else should have access to their records, which again gives them control.
Personal health records can also function as part of a larger network such as a Nationwide Health Information Network. Data exchanges between networks raise privacy issues, too. One of the biggest questions is how centralized or decentralized these networks should be. There are pros and cons to the varying approaches, including with regard to ease of use, data accuracy and risk management. These issues are going to have to be carefully considered as the networks are more fully developed.
Regarding Dossia's privacy and security, the first and last job of any medical record system is security. This begins with an industrial strength shared system for verifying a user's identity. Dossia features stringent privacy and security policies and procedures, including a strong authentication system. Individuals opt into the system, then they decide what information to share and with whom. No one can see an individual's information without his or her permission.
Additionally, since Dossia is hosted by an independent third party, there is an organizational barrier between the data and outside parties, including employers and health insurers. Because Dossia will be connected to data networks that exist today behind the curtain of the health care system, and because of the sophisticated and rigorous security and patient record location intelligence included in the common framework design, the user of a personal health information product will be able to quickly access his or her information. The information will pass through the Dossia network into the patient's control and will be completely de-identified, assuring privacy in the unlikely event that it is not the patient's actual medical data.
Furthermore, in keeping with the principles of the common framework, and as a final way of insuring data integrity, the user will have the ability to review that data and choose whether to include or exclude it from their record.
In conclusion, Walmart as a founding member of Dossia is committed to the success of e-health records, personal health records and privacy and security for those records. We are prepared to assist members of this committee in any manner as you keep considering the important aspect of personal health records for Americans. We are committed to working with state and federal leaders to define real action steps that can be taken to move the discussion forward.
Today there are more than 45 million Americans without health insurance. Affordable and accessible health care is out of reach for many Americans. Walmart understands that our nation cannot address this problem without a combination of technology and common sense. This is what we do each day in urban areas and small towns across America, and this is how we hope to assist in this vital national effort.
We appreciate the opportunity to present our views, and look forward to any questions you may have.
DR. ROTHSTEIN: Thank you very much. You have raised a number of very interesting issues that I'm sure the members of the subcommittee would like to pursue during the question session.
At this point I want to turn to Dr. Yasnoff. Please proceed whenever you are ready.
DR. YASNOFF: I assume you are on my title slide, and I will cue you as to moving the slides forward. For those on the Internet in particular I will attempt to speak in a way that doesn't absolutely require seeing them.
First of all, thanks very much for the opportunity to testify. As many of you on the committee who know me are aware, in my prior roles at the CDC and as senior advisor for National Health Information Infrastructure at HHS, I served as staff to NCVHS. So it is wonderful to be back in another role, to have the opportunity to testify.
In addition to my primary activities as managing partner of NHII Advisors, an HIT consulting firm focused on helping communities build health information infrastructure, I am also the CEO and founder of the Health Record Banking Alliance, which is a relatively new organization just several months old, a nonprofit promoting the idea of health record banks such as Dossia. We are pleased to have a number of organizations participating including Dossia, Cerner, EDS, Microsoft, Patient Privacy Rights, NHIMA, Holven Health, You Take Control, the Pharmaceutical Manufacturers Association and the Herigate Foundation, among others. We have developed a relatively broad based coalition to promote the idea of health record banking.
What I want to talk with you about today is how health record banks enable privacy and health information infrastructure. If you go to the next slide, I am going to say a few words about requirements for health information infrastructure, then talk about the health record banking model, then the privacy implications, and make some specific policy recommendations to the subcommittee.
You will need to pick through this. There are four major components of the community health information infrastructure. If you click once, you will see the pot of gold at the end of the rainbow is complete electronic patient information, anywhere anytime complete health care information and decision support at any point of care.
This needs to be supported by three pillars. The first one is stakeholder cooperation, the second one is financial sustainability and the third one is public trust. If you have these three things supporting complete electronic patient information, you essentially have a complete community health information infrastructure.
If you go to the next slide, I will talk about the four elements one at a time. First, complete electronic information. The good news is, most of the information is already electronic, labs, medications, images, many hospital records. The big problem with electronic information in health care is, only a small percentage of physicians have electronic health records, primarily because the business case for outpatient electronic health records is weak. I think you can be sure that if acquiring electronic health records in physicians' office was a money making proposition for physicians, they would be doing it.
In order for you to be able to have complete information, you need to be able to move the information. Frankly, you can't electronically exchange information that is not electronic, at least not easily. So you need financial incentives to insure that physicians acquire and use the EHR. So I have listed that as the first requirement, that you need financial incentives to create a good business case for outpatient EHRs.
Then the next requirement for having complete information is, you need a single access point for the information. There are basically two ways to do that. One is to gather together the data when it is needed, what I call the scattered model, where the data stays where it is and there is no duplication of storage. When the patient shows up for care, you basically have a query to an index of where the records are located, and then a large number, a potentially very large number, of secondary queries to all the different places where the patient has visited in their lifetime. Then you have to wait for those responses come back, integrate them and deliver the information at the point of care. In fact, this is what the Markle Foundation recommends.
This has a number of drawbacks, including all the systems that have information have to be online and available for query 24/7. This is extremely problematic, particularly for physician EHRs.
In addition, each system that is to be queried incurs the added cost of those queries, both the initial added cost in terms of hardware, software and additional communications capabilities, and ongoing maintenance costs. So you have added costs to every element in the system.
The response time is slow because you have so many secondary queries to process and you cannot finish your work until all the systems have responded. Also in this model, you can't search the data because you don't know what the data is. So you have to basically acquire the complete record sequentially and then search it sequentially in order to find out for example how many people in a given area have a cholesterol over 300. This makes this methodology essentially useless for public health, for research and so on.
You also have a huge interoperability challenge, because you have to be able to insure that every source of electronic health information in the entire U.S. is standardized and accessible to you, because you have no idea where any given patient may have been. Finally, the records are only complete if every possible data sources is operational, which is going to be very, very difficult.
The second option is to have a central repository. By central repository, what I mean is an operation where there is a central administrative organization that has direct control over all the data. This does not mean that all the data has to be in a single server. It can still be distributed, as long as you have control over it and you are operating it, so that you can assure that you can get the data when you need it.
The advantages of this are, you have fast response time. You don't have interoperability problems between communities because if you have a person's complete record, that health record bank does not need to communicate with any other health record bank about that patient. It is very easy to search the data. Of course, that would be by permission. The reliability depends only on the system that you are running. Security can be controlled in your location or locations, and you can assure the completeness of the record, and this is extremely low cost.
The problems with this are that the public trust when you put all the information together is challenging, and you also have to duplicate storage, but it turns out storage is inexpensive. I have listed the second requirement that you need a central repository for storage.
If you move to the next slide, which starts the three pillars that I talked about. The first pillar is stakeholder cooperation. If you think the health care stakeholders are going to cooperative voluntarily, I would like to chat with you after the session, and I think I can convince you otherwise. Obviously you could pay the health care stakeholders to cooperate, but financial sustainability is a big problem already, and there is no money available for that.
So really, you need to mandate cooperation, and you can do that one of two ways, either with a new mandate or thankfully HIPAA provides an existing mandate, because HIPAA requires information to be provided on patient request. So if you design a system where the patient is requesting the information, everyone has to provide it.
If you go to the next slide, financial sustainability, in order to pay for this there are a number of options. The government is not going to pay for this. I am not going to discuss that. The federal government is not going to pay for it, state government is not going to pay for it. The best that is going to be forthcoming are startup funds.
The health care stakeholders in some cases will pay for it, but in general are paid for giving care, and it is difficult for them to make investments like this. In particular there are no health care stakeholders that have an interest in having electronic health records in doctors' offices, or we would have them.
The payors and purchasers, the insurance companies and the employers, ought to pay for this, but typically are skeptical about benefits and are concerned about free rider and first mover problems as these systems are established.
Interestingly, consumers have indicated a willingness to pay for this. In one survey, 72 percent of consumers supported establishing electronic records, and in a 2005 survey 52 percent of consumers indicated they would be willing to pay five dollars per month or more for their medical records to be electronic. So I have listed as the fourth requirement, the solution has to appeal to consumers so that they will pay a little bit for it.
Public trust. I have a couple of slides on this. To me, the actions of public trust in a system like this is having patients totally control the information. You will hear me emphasize that point again in a few minutes.
You also need to have a trusted institution that handles this information. One way you can have a trusted institution is via regulation like banks. If you think about why we trust banks, it is not just because they sometimes have trust in their names. We trust banks because they are subject to state and federal regulation, they are subject to regular financial audits. The federal government in its wisdom has provided us at no cost a no copay no deductible insurance policy for our deposits up to an amount larger than most people deposit. So sure, we trust banks.
I used to say that you couldn't have regulated health record banks, that it was impractical. But I put question marks by that now because there was legislation introduced in the last Congress and will be introduced again to set up a regulatory framework for health record banks to provide valid legal protections and a legal framework for them. In the meantime, the best you can do is to have a self regulated community owned nonprofit with a board that has all the key stakeholders, independent privacy oversight and operate in an open and transparent manner. So I have listed that as a requirement.
You also need a trustworthy technical architecture. I won't spend much time on this, but you need to prevent large scale information loss. You can do that by having your searchable database offline and carefully screening all employees, and treating that information as you would high security classified information.
You also have to prevent inappropriate access to individual records. What I recommend is a separate server for that, using state of the art computer security to insure that you can only access one record at a time with strong authentication, no searching capabilities, and a secure operating system. I am happy to talk about that more in the question period if you like.
These requirements lead you to the health record banking model, where all the information for a patient is stored in a health record bank account. The patient or whoever the patient designates controls all access to the account information, and there is absolutely no reason for anyone to have access, because everything in there is either entered by the patient or is an original record that is held elsewhere. So there is no reason anybody else for any reason should be allowed into that information without patient approval.
Each health record bank needs to have at least three interfaces, a withdrawal window for record access, a deposit window to receive new information when you get care, and a search window when authorized requests are received.
The way this works is, once your initial information is gathered, whenever you receive new care, whatever new records are generated are sent to your health record bank for deposit in your account. Thereby your information is kept complete, and all data sources would contribute as patient requests for HIPAA.
This is an animated slide, so you will need to click through this. You see health record bank in the left corner. If you click once you will see a circle with the health record bank. Click again, there are the secure patient health data files. If you click again, there is the clinical encounter. Click again, the clinician inquires to the health record bank for the patient's record. If you click again, you see that the patient has to give permission. If you click again, if the patient says no, nothing is sent. Clicking again, we hope of course the patient says yes, in which case the patient data is delivered to the clinician. If you click again, we hope that encounter data is entered into an EHR. If you click again, the new encounter data in total is sent to the health record bank for deposit, then if you click one more time, you can then have an optional payment for that deposit to the clinician's financial bank, and through those payments you can offset the physician's use costs of the physician EHR.
Let me talk for a minute about privacy implications. First of all, the essential elements of privacy protection in my view are the consumer control of information release. This allows each consumer to customize their own privacy policy.
To me, this is the only way you could possibly satisfy the privacy needs of all consumers. There is no way in my view to have an overarching privacy policy that is going to make everybody happy. And health record banks facilitate this privacy through consumer control.
The granularity of the control is limited to what information is visible at the control point. So if you have a scattered model, where all you know is the location of the information, you can only give your permission by location of information. You cannot be more specific than that. So since in the health record bank model you have complete visibility of all of the information, you can have patient permission down to the data item level.
I have five policy recommendations I want to share. I think you will find many of these are consistent with your recommendations you have made previously.
First, the consumer needs to have complete legal ownership and control of the health record bank information. The health record bank functions much like a financial trustee, with a fiduciary responsibility to follow the patient's instructions and act only in the interest of the patient.
As I midnight, no exceptions are needed, since copies of all the information are elsewhere. When I say no exceptions, I mean none, no discovery, no subpoena, no government access, nothing. The information also needs to be protected from change in ownership of the health record bank. Failure of customer payments, so if the customer doesn't pay for their account, the health record bank does not have the option to do anything with that information except either return it to the customer or not make it accessible. They can't do anything that the customer hasn't asked for. Also, you need to protect the information from bankruptcy. You can't let the information become a bankruptcy asset that then is sold in that type of situation.
Second, all holders of electronic medical information should be required to provide it within 24 hours of creation at no charge on patient request. As I mentioned, HIPAA requires information to be provided, but you have 30 days, and you can provide it on paper and you can charge for it. So if you have economic information, you should be required to send it. This is not a burden, because sending it is very, very inexpensive.
The third item, health record banks should be covered entities under HIPAA. In fact, as you have previously recommended, personal health information should be covered regardless of where it is. Of course, health record banks are going to function at an even more stringent level than HIPAA, requiring patient consent for all releases.
Fourth, you need to require independent privacy and confidentiality audit of health record banks. This is the equivalent of financial auditing of financial banks. There needs to be certification of those auditing entities and public disclosure of the audits.
Finally, you have to have security procedures that are sufficient to enforce the privacy and confidentiality policies.
Thank you very much, and I look forward to questions.
DR. ROTHSTEIN: Thank you very much, Dr. Yasnoff. I know we will have many questions for you.
Our next speaker and the final speaker on this panel is Professor Edward Janger from the Brooklyn Law School.
DR. JANGER: Thank you, Mark and Maya, for inviting me. I come as much as a consumer as a supplier of information. I come as a bankruptcy professor who has done some thinking about privacy issues in bankruptcy, and also about issues of data security, but not particularly in the health care context.
My one past intersection with health care privacy was at Mark's request when I thought about bankruptcy implications for bio banks, and now that I have listened to the previous two speakers, I understand why Mark put me on the panel, but I am answering a slightly different question from the one that I thought I was answering, but that is okay, because the issues are the same, and I am going to make some linkages on the fly, and I think they will be quite interesting for the group, and probably provocative.
I think I may be a little bit of a skunk at the garden party here. As Dr. Yasnoff was saying, we have to bankruptcy proof this; my thought was, oh, okay, that is a can of worms. Let me see if I can explain the can of worms that bankruptcy and insolvency create for both EHR data banks and more generally for privacy regulation through HIPAA of non-covered entities through the business associate technique that HIPAA tries to adopt. I am going to try to do those two simultaneously. I think it will work, but let's see how it goes.
The first way that HIPAA tries to deal with entities that are not covered is by recognizing that many HIPAA covered entities have to disclose data to non-covered entities and what it requires them to do is to enter into what are called business associate contracts, which is to contract for derivative HIPAA health care protection. To the extent that we are beginning to think about EHR banks, what we are really thinking about is the kinds of contracts and kinds of legal protections that need to be created for those in such a way that both the solvency of the EHR entity or the solvency of the business associate won't create privacy risks that are unanticipated.
With that thought in mind, what I am going to be focusing on is the fact that under U.S. law, for the most part individually identified data is not treated as property. It is treated as information. The way that the transfer of personal information is regulated, both by individuals and generally by the law is through contract or tort, which is to say, regimes that restrict transfer through the imposition of post disclosure liability, or alternatively through public enforcement.
I am staying away from public enforcement because bankruptcy doesn't affect that, and what I am going to focus on is the risks that are associate with the fact that data is protected through contract, and that this introduces a serious problem which was first identified during the dot com bubble now five to seven years ago of credit risk generally.
So I think there are two real paradigms that you need to think about. I am going to try to go through each one to talk about one, how bankruptcy law deals with them and two, how credit risk exists even outside the context of bankruptcy law.
The first credit risk paradigm is the one that some of you may be familiar with. It is sometimes referred to as the Toysmart problem. The second one I want to talk about is what I will call the derivative contract problem, which is something I haven't written about before in the bankruptcy context, but which I think is really important here because it is a model that has been adopted both under GLB and under HIPAA for dealing with the outsourced obligations. I think there is some real risk there that nobody has thought about, so you will get my ideas on that here first.
First, the Toysmart problem, which is a general frame for thinking about how bankruptcy deals with privacy promises. For those of you who don't know the story, what happened in Toysmart, Toysmart was a toy company that was owned by Disney that gathered information, e-commerce type information from grownups and from kids subject to a privacy policy that said we will never share your data. Toysmart then went bankrupt, and its insolvency consultant listed the customer lists for sale, and people went berserk.
What it caused people to realize was an aspect of bankruptcy that is just out there, which is that when an entity goes bankrupt and reaches a contract, what the non-bankrupt claimants have is a claim against a bankrupt entity for a breach of contract, which gets paid out on cents on the dollar. This creates a somewhat scary moral hazard problem, which is that the bankrupt entity can break a promise and make hundred cent dollars and pay damages in ten cent dollars.
There are bunches of things -- and this is not a bankruptcy problem per se, this is something that exists outside of bankruptcy and people call it the judgment proof problem. That is why we want banks to be properly capitalized and other entities to be properly capitalized. Once you are insolvent, the liability based things that try to make people do the right things don't work as well.
Anyway, this problem could exist in the context of one, an EHR that turns out to be thinly capitalized and goes bankrupt. We want to make sure that the promises it has made not to disclose data are enforceable notwithstanding the entity's insolvency.
We have a similar problem in the ordinary HIPAA context, where you have a business associate contract that requires the entity to do all the appropriate things, but then they go bankrupt. They break the contract and they are not fully internalizing the risk of their misdeed.
Now, in Toysmart there is another angle to this which we shouldn't forget as I tell the horror story. Toysmart ultimately didn't disclose the data because the FTC jumped in and sued them under Section 5 for an unfair trade practice, which didn't really go anywhere, but it all got mooshed up, and ultimately Disney Toysmart $50,000 for the data which it then promised to destroy. So there are other layers out there, but those aren't what I am talking about.
The response to Toysmart more generally was an amendment to the United States bankruptcy code that has significant relevance here, and a somewhat different helpfulness level in the EHR data bank context as compared to the business associate context.
The 2005 amendments to the bankruptcy code, which went effective more than one October ago, contained an amendment which basically says that personally identifiable data cannot be sold in violation of a privacy policy unless.
The unless is relatively significant. It can't be sold unless the bankruptcy court approves the sale after the appointment of a privacy ombudsman who will then negotiate on behalf of or serve as a guardian for the holders of the personal data to make sure that their legitimate privacy concerns or the privacy policy spirit is honored through whatever data transfer.
This is a really big advance. I have written both praising it and critically of it. The praise is for the ombudsman and the negotiation and the court supervision approach, which I think goes a long way towards setting a model for how to deal with these problems.
The problem with the Leahey amendment as an approach is one, there has to be a contractual privacy policy. If one is familiar with the e-commerce world and the way privacy policies have developed, they are not so much privacy policies anymore as data sharing or data disclosure permission policies. So to the extent that the businesses have already not made Toysmart like promises, the Leahey amendment doesn't provide much protection. That is something I think that has to be worried out for example in the consumer based context of an EHR data bank, where you need to make sure that where the consumers aren't responsible for negotiating their own privacy contracts, because it won't work.
The business associate contract context may be slightly different. I think the Leahey amendment may be quite helpful here. Remember, the business associate contract creates a contract with bite that would then run through the Leahey amendment and give you some real protection. So I think you have got two different sets of concerns, one on the data bank, the consumer data bank, where I think you have to make sure that the privacy policy that runs through the Leahey amendment type structure is not voluntary, but on the business associate side, I think you have got something that may work pretty well.
Here is the big problem with the Leahey amendment, and it is a big problem. It only applies if the entity actually applies for bankruptcy and tries to sell data in bankruptcy. If the entity simply leaks data, does whatever it is that smaller entities do when they messily wind up, the Leahey amendment never comes into play, and the data simply goes away, leaks out, goes wherever it goes, and there is no redress against anybody.
So that is I think the bankruptcy law problem. There is a second insolvency problem that is more general and not really bankruptcy specific, which is the general contract law problem of trying to regulate or impose public regulation through third party contracts.
When we think about a business associate contract, the liability is enforceable only through contract damages. To the extent that you are relying on contract damages, insolvency, whether in or outside of bankruptcy, raises the moral hazard problem that I identified earlier, and therefore undercuts the effectiveness of contract damages as a deterrent. Hence, thin capitalization undercuts the incentive not just to not sell data, but to also take appropriate care to protect data.
This is the new part. This discussion that I am about to enter into builds on a piece that Paul Schwartz and I are about to publish dealing with data security issues more generally, and draws on some thinking I have been doing about a similar approach which is followed under the interagency guidance under Section 501 of the Gramm Leach Bliley Act, which similarly like HIPAA requires outsource entities to contract for protection.
The problem is, one, you have got the capitalization problem, but two, you have another bunch of problems that go along with this type of derivative contract regulation. One, you have got a detection problem. I can't imagine people haven't become aware of the number of data spills that have happened over the last two or three years, or more to the point that have become public over the last two to three years as a result of the passage of breach notification statutes in California and other states.
I don't mean to take a potshot at Mr. Yasnoff's presentation, but one of the types of entities that has been most subject to the notification of these spills are banks. They are really good at protecting money, but they turn out not to be all that good at guarding customer data, Bank America, Citibank.
The example of the data security breach that I think fits this example best is a case called Card Systems. Card Systems is a company that make the boxes that sit at the checkout counter, where you put in your PIN number or you swipe your card. What they are supposed to be is a data conduit. They run data from the checkout counter to the check payment clearing entity and don't touch it except to trigger the cash register.
Card Systems had a contract with VISA and everybody that they did business with that that was all they were going to do, is ship data back and forth and not touch it. Somebody at Card Systems got a bright idea. They got the bright idea that they have got R&D to do, and wouldn't it be good to do R&D with real data. So they siphoned off some data, put it in the database, played with it and got hacked.
This violated every contract that they entered into, and they got sued. But two things have happened. One, they are still in business. Two, they are still providing this service to VISA. Three, nobody knows what information got leaked. I have never gotten a customer notice about my Card Systems data, and I'm sure I was in there.
So we have got a whole bunch of problems that arise from this, simply because people don't always know that it happens. Even if the breach is disclosed, you don't know if your data has been disclosed. Second, there are internalization problems which go along with the fact that the damages are likely to be small, so who is going to sue once I find out that somebody knows that I bought something at the A&P.
Then there is a third problem, which is that this damage regime, both under GLB and under HIPAA, this contract liability, I'm not quite sure where it comes from, because neither HIPAA nor GLB have private rights of action. So you are piggybacking on unformed tort lability or whatever to make these things happen.
I think that is a pretty good place to stop. When you get into this derivative contract regulation, in addition to the capitalization problem you have the problem of an attenuated relationship with the consumer and an attenuated relationship with the regulator. These are not insoluble problems, but as I said, I am the skunk at the garden party, they are ones that need to be thought about.
DR. ROTHSTEIN: Thank you very much. It is now time for questions. I know I only have about an hour's worth of questions, and I'm sure each of my colleagues do as well. So I will go last as is my custom, hoping that somebody asks my questions earlier. We also have two members on the telephone who may have questions as well.
So we will begin with John Houston, and then we will proceed to the rest of the panel. I would ask you to keep your questioning brief so we can get through one round of questions and if time, a second.
DR. HOUSTON: I have two questions, and they are focused towards Ms. Walton. The first being, what type of consumer contract -- I use that loosely -- do you perceive you are going to have with whoever subscribes to your system? What do you plan on telling them, how you are going to manage their data? Are you going to have a contract in place?
That is the first question. Before I forget the second question though, do you think that Dossia would be willing to voluntarily comply with HIPAA? That is the second question.
MS. WALTON: Let me take a shot at both of those. First, regarding your question about the type of contract that we would have in place with the consumer, just for the record, I want to make very clear that Walmart will not have a contract with the consumer.
DR. HOUSTON: Dossia will.
MS. WALTON: Walmart is simply contributing funding to the nonprofit organization Dossia. I can't speak on behalf of Dossia relative to the specific content of the contract and so forth. The contract would be between Dossia and the various parties involved with that there. So I can't presume to speak on behalf of that.
But the principles that we have discussed are a very high standard. They are the fair information practices that we have outlined, the specific content of the contracts. Dossia is working toward an implementation for the first group of employees of the founders in the summer of this year, so there is a lot of homework to be done. There is a privacy working group being formed to address those details.
I can't speak to what the content would be. What I would suggest is that if the committee has continued interest, that Dossia be asked to come and share more specific information over the next few months as that implementation is planned for later this year. We are very early in the stages of that rollout.
DR. HOUSTON: As our last presenter indicated, that contract with the consumers is vitally important.
MS. WALTON: It is the vital touch point. From the beginning as we talked about the common framework and others, the intention of Dossia and what is being designed and prepared regardless of regulation is intended to meet or exceed those standards that you would see within the HIPAA world, even though at this time it is a non-covered entity.
DR. ROTHSTEIN: Thank you. Now Harry Reynolds has a question.
MR. REYNOLDS: I'd like to make one comment first. If you go back to our letter that we wrote to the Secretary, I think the Card Systems -- we talked about entities especially in NHIN that will be nothing more than switches or other things, where data will pass through them. So I think that is an excellent example for us as we continue to deliberate. That is an excellent example of what NHIN is going to bring to the table. You will have these electronic switches that say, I do nothing but accept and pass on. So that is a great example for us.
My question is, as I have listened to all of you, and if you read our letter, we have some things that we couldn't quite come to full closure on. Everyone that has presented today has talked about the person having personal choice on what is in any of these records. So that is a fact and that is a statement.
The second is things like financial incentives that Bill Yasnoff discussed as to how do we get this adoption and how do we get things to happen.
Then the third is, depending upon the validity of the information, depending upon what is or isn't in there at the choice of the person, the usefulness of that data at the actual care site comes into question on a continuous basis. If it is not information that is complete enough to allow the attending provider -- and we will use provider, because as Mark said, there is a lot of people that touch this kind of stuff -- if it is not complete enough, then it probably may not be part of the process, if the caregiver can't accept it as a good record or a good index, or there is some notation that something is not there.
So I would like each of you, especially maybe Ms. Walton to start first, and then Bill and then Mr. Janger, from the standpoint of -- as you were saying, you are talking as consumers in some cases. I would like your feelings on that, because that is an issue that we are struggling with. The person gets to decide. The caregiver wants to see it all, and in the middle we want some kind of a thing to happen.
MS. WALTON: Just a quick comment there. The first decision I believe that the consumer has by choice, at least under the Dossia framework, will be to verify that the data being presented for inclusion in the record actually belongs to them; was I there in this date of service, in the highly unlikely event that some weird thing happened and you are sent someone else's information. So that authentication, that verification, is the first step.
I have heard quite a bit of discussion, and rightly so, regarding the issue of completeness, and whether or not the attending physician and others in the treatment arena will be able to provide appropriate care if the record is not full of everything.
I think that is a great question. It is no different than it is today. The physician does not have a complete history. Frequently a physician has to rely on my failing memory. If I am really sick and feeling bad, the questions I answer may -- my answers may change over the course of an hour or two as I am moved along within a facility.
There are those weaknesses today in the caregiving arena. I don't say that glibly or say that this is not an important issue.
One of the things that I have heard discussed is that as a consumer may choose not to reveal a particular portion of their health record to another entity, that caregiver will be provided some information that says the consumer is withholding some information. It doesn't say what it is, but it gives the physician an opportunity to probe more deeply and ask questions on that point.
MR. REYNOLDS: Bill, would you like to comment?
DR. YASNOFF: Yes, I would. First of all, we don't know much about having complete information at the point of care, since we never have it at the present time. We certainly never provide any assurances that information is complete. So the idea of providing any assurance, either actual or implied, that information is complete is a new thing. By that I don't mean to trivialize the question. I think it is a very important question. Providing the infrastructure that allows us to contemplate having complete information at the point of care by definition raises numerous difficult policy issues. This is one of the classes of more difficult issues.
I think clearly, at the present time, the patient has control over what information is presented. I can tell you, having given talks all over the country on NHII, after nearly every one, someone would take me aside and say, if you are going to create a system like this, I am going to have to opt out unless I can control the information, because I had my sexually transmitted disease treated somewhere else, or I got a test somewhere else, or I had an abortion out of state, or some such thing, that I didn't want my provider to know about. And of course, patients know the system as it is, and they know how to get there in a way that their providers didn't know.
As the subcommittee I'm sure is aware, the California Health Care Foundation surveyed recently on this point, and found that consumers admitted so-called information hiding behavior, 13 percent of consumers admitted this, which to me means probably a much larger percentage are actually doing it.
So the fact that is that I don't think you can have any system like this unless you have patient control and you give patients the option to suppress information selectively. So the question is, what do you tell providers. I think this is a difficult question. My current view of this is that you do need to tell providers, if you know for a fact that the information is incomplete, you need to disclose that. In certain cases you have to be more specific.
Let me give one specific case. Let's say you have a patient who is on a controlled substance for pain, and the patient is trying to illegally and fraudulently obtain additional prescriptions like that. So naturally with a record system like this, they would suppress the information that they are on the controlled substance so that the next physician would not be aware.
Then you have the possibility that unscrupulous patients would be using the system to aid and abet criminal activities. Clearly that cannot be allowed. So in the case of controlled substances, if a patient decides to suppress the information about one or more controlled substance prescriptions, I believe that as a matter of public policy you must inform the physician to the effect that this patient has suppressed one or more controlled substance prescriptions. You don't have to say what they are, but you have to inform the physician. Otherwise you are building a system that can aid and abet criminal activity.
So that is one example where I think the policy is relatively clear, but there are lots of more subtle examples where it is not so clear. I think this is something that needs to be extensively debated, and there may be different approaches in different situations, depending on the sensitivity and nature of the information.
DR. ROTHSTEIN: If I may interrupt before Professor Janger responds, to point out that the subcommittee debated this issue for months, literally. We decided against the flagging route and did not include that in our recommendation.
But there is an element that has not been discussed. I want to ask Dr. Yasnoff specifically to finish his answer, and that is the decision support element. One of the things that we included in our recommendation letter was the notion that even as to items that were somehow suppressed by the individual, decision support would still operate on those facts.
So for example, I may as a patient choose not to disclose that I had a sexually transmitted disease for which penicillin was prescribed, but I became allergic to penicillin. So the record wouldn't have the STD, but the decision support would show that I was allergic to penicillin, so if penicillin were being contemplated for some other condition, then the physician would be alerted.
I wanted to ask you, Bill, is the system that you are describing, does that contain a decision support mechanism as well, or is it just simply transferring whatever records are submitted to the bank?
DR. YASNOFF: Health record banks as I am contemplating them would not actually contain decision support. Of course, they could, but that begs the question.
This is my suggestion to the subcommittee on this. If you get testimony from consumers about this, I am going to give you my personal view on this, my personal view is that as a consumer is that if information is suppressed, it is suppressed, and it is not available. It is not available to anybody for any reason ever, no matter what.
I think it is also very clear that when I make the decision to suppress some information, undoubtedly the general counsel of whatever organization is letting me make that decision is going to put a warning on the screen, something to the effect that by suppressing this information, you may be causing your own death, and sign here. I think that is perfectly appropriate.
But if you do not allow patients to really control this information, I think that there will be tremendous resistance to the establishment of these systems. But again, I would urge the subcommittee to -- that is just one person's perspective, and I would urge the subcommittee to gather information directly from consumer groups, from privacy groups and so on, on this topic.
DR. ROTHSTEIN: Thank you, and I apologize. Ted, your answer?
DR. JANGER: It wasn't an answer as much as two further questions that it seems to me this raises. One is, it strikes me that -- and I think this is already coming out -- that there may be situations where the central database is actually less complete than the information that an individual would give their own doctor, because of concerns that an individual has about making this information available centrally, for fear of -- and this comes back to the trust -- ways in which that information might be used or might be called upon to be used.
In other words, if I go to my doctor, I may tell him about the STD, because I know that I want him to know about it, and because I know that it won't go any further, but I won't put that in the central database.
That is point number one. Point number two question is linked to that, which is, are there limits on the purposes for which a consumer can authorize the use and disclosure of their medical data.
The reason if I am a consumer that I am worried about this is, I put this stuff in the central database because I want my doctors to have all this information. The next thing I am worried about is that my employer is going to come to me and say we would like your health care information, and I say no, and they say bye. I say, I'll give you the paper records and they say, no, we want the stuff in the EHR. Then I'm stuck.
So anyway, there are adhesion problems that can arise that can then force that information out and overcome the control. So I just wanted to highlight the issue. I don't have an idea about how to deal with that.
DR. ROTHSTEIN: Thank you for raising that. It is something that if we have time I would like to pick up on as well.
I want to recognize our subcommittee members on the telephone now, and give them an opportunity to ask questions. I know, Paul, you are under the weather. Do you have any questions?
DR. TANG: Yes, I do, thanks, Mark. I have three, if I could take them in order.
The first one, Bill Yasnoff had mentioned that if doctors did have financial incentives, then we would have EHRs throughout. So let me ask that financial incentive question regarding Dossia and the record bank. That is, what is the business model, what benefits accrue to the founding members, and what would prevent everybody from contributing or not?
MS. WALTON: Relative to the business model for Dossia, the business model for Dossia begins with the founder's initial contribution of a $1,500,000 apiece. The goal is to have ten founding companies. Five were included in the initial press announcement.
You had asked what is in it for the employer, why are we there. In my opening comments I spoke about how employers pay for health care for our associates through our insurance programs and so forth. Walmart's cost is rising at 19 percent per year. I know it is a leap, but the reason we are doing this, not only do we feel like it is a good thing for our associates, but ultimately we believe that a personal health record used on a widespread basis in our society is going to improve the quality of health care and lower the cost, and that is the payback for employers.
We do not have any near term other derivative benefit out of that. We feel like it is something that we can do as employers to help cause movement and change within this country.
In terms of Dossia's revenue model downstream, the intent is that Dossia will be on its own feet and beyond the seed money after the first three years at a minimum. Dossia will be an open framework, so that you would look at the possibility of other software solutions and products and so forth that would work out financial agreements with Dossia in terms of licensing and using the technology, those types of revenue streams that are there.
Does that answer your question?
DR. TANG: So you are saying that this model for Dossia is basically to make secondary use of these data. To follow up on the founding, why would there be a limit to the number of founding members if there is no benefit to being a founding member? Or why would there be a restriction on the number of people who would throw money into this effort?
MS. WALTON: I could not hear the first question. I could hear the second question about the limit on the number of founders. That is simply for us to be able to launch quickly and get out of the box. So there are those who are contributing to the startup of Dossia. They will be the ones who first have the option of providing personal health records to their employees, to their retirees, and to the dependents of those individuals.
That is the reason for starting with the ten. There may well be a number of other forums of affiliate memberships and so forth at a later point, but we are just trying to launch and cover the two plus million people this year.
DR. TANG: The first part of the question, it sounded like Dossia when it became self sufficient, it would mean that it was permitted to derive from secondary use of the data on behalf of individuals. Is that going to be part of the concept? I know that is not complete yet, but the employees who are putting their data into this system, would they have control over the secondary uses of the data?
MS. WALTON: First of all, that is not what I said, and I want to set the record straight on that. Dossia is not in the market of providing secondary uses of the information.
If you look at the ability to connect and pass information or the equivalent of technology within computers today that allow you to transmit information from one to another, it becomes a licensing arrangement between technology companies.
So someone who has let's say an electronic health record system today, but they don't have the ability to connect with other proprietary systems, it is conceivable that Dossia would have all those connection points there and say, for a small fee you can rest your own product, be it a personal health record system, and use our connector, so that you have a broader reach to other insurance companies, other health care providers, other sources of data.
I hope that clarifies that.
DR. TANG: Yes. I'm sorry, I did get the wrong impression initially. So it would be only through technology licensing, but having nothing to do with the consumer data?
MS. WALTON: Correct. Dossia is the underlying framework on which other stuff could ride.
DR. TANG: Bill, is the same true for the health record bank?
DR. YASNOFF: No. I think the Health Record Banking Alliance recognizes that there may be health record bank with widely varying business models. I was trying to illustrate one such business model, which is having the patients pay a monthly fee and providing financial incentives to provides for EHRs by paying for deposits.
There are other financial models. There is no requirement to pay physicians for deposits. Of course, if you don't do something like that that you don't get the EHR incentives, and so you don't have the effect of converting the health care system to electronic records.
I will say that it is pretty clear that once you have an operating health record bank, your sources of revenue can be quite diverse. With patient permission, it is contemplated that health record banks would make information available for secondary use. Not only that, revenue generated thereby would mostly be returned to the patient.
So you really ultimately have an analogous situation to a financial bank. In a financial bank you deposit your money and you earn interest because the bank uses your money to make money, subtracts its operating costs, and then returns the difference to you. In a health record bank, you would deposit your medical information, and if you chose to do so, you could have a quote-unquote interest bearing account where your information was used for searches and so on, and money would be returned to you, which would either be credited towards the fee you pay, or ultimately the fees might be reduced as a matter of course for all the customers.
In addition, there are a number of value added services that can be provided once you have complete health information, things like sending instant messages to parents if any of their children's health record bank records are touched by an emergency room physician. Most parents that I have talked to are very interested in that, would be willing to pay something for it. Sending instant message medication reminders for every dose of medication, this might be particular helpful in the elderly, and pharma might be interested in paying for that.
Something like I call prevention advisor, which would be a service that consumers could sign up for, based on demographic and information in the medical record. Consumers could be reminded of all the things they need to do to stay healthy on an individualized basis. There are also things that could be done for providers.
So for example, you could associate customized rules with orders that providers give, so that instead of ordering a lipid profile and having to review the results and then talk to the patient, you could order a lipid profile with a set of rules that says, if the results of this test normal, drop them into this preformatted e-mail and send them to the patient and I don't want to see the results. That is something that would be relatively easy for the health record bank to provide, and would obviously be a valuable service for providers.
So there are lots of different services that you can provide once the bank is up and running. The central principle however is that no information is disclosed or used for any purpose without explicit consent of the consumer.
DR. TANG: Thanks, Bill. I hope Mark will follow up on the context for secondary uses.
My final question has to do with access to the data and also unintended consequences. I think my understanding is that Dossia and probably health record banks are planning to include claims data as one way of -- some of these records. I may be wrong, so please correct me.
I think most people including the payors recognize that the claims data have a large problem with accuracy. There have been studies that compare the clinical record with the claims data. There are a number of reasons for that. A lot of it is because the people who provide the data oftentimes are not directly providing care, so that the disconnect, that these are two separate streams and they don't have to relate to each other, so the accuracy is not that important to the health care provider.
But the consequence of having inaccurate data is that, let's say in the case of decision support or even making decisions based on the data, it can result in a number of unintended side effects. So I am wondering how the two groups are thinking in terms of literally -- betting is not the right word, but how do we make sure that the data streams that are coming in are accurate.
DR. YASNOFF: Paul, could I jump in and answer that first, because I am going to have to jump on my plane here?
DR. TANG: Sure.
DR. YASNOFF: First of all, Health Record Banks Alliance takes no position as to whether you put claims data in the health record bank or not. That is not the primary intent, but there is no objection to it, either.
I think you have a number of things you can do. First of all, when the data comes in, if you have any questions as to whether the data belongs to a given patient or not, you can put it into what amounts to a suspense file and have verification, including calling the patient or the doctor to see if that data really belongs. Those deposits do not have to be completed in real time, because you are not trying to provide data for care at the moment the deposit occurs.
The second thing which I think is very important is that in the health record bank situation, the patient has access to the data, so the patient will look at the data, and if the data is wrong, the patient presumably will make a call and say, there is a stress test in my record and I didn't get a stress test.
Furthermore, you can set up mechanisms whereby the patients are always notified about every deposit that is made into their record, not necessarily the contents, but the fact that the deposit has occurred, so as to alert the patient to the fact that there is a new deposit so they can check.
So I think having the patient reviewing the records can be a very, very powerful force and help to reduce errors in the data and improved quality.
I'm afraid I have to go catch my plane. If there are further questions, I'd be happy to answer them in any way the committee would like to followup, including in writing or whatever. Thanks for the opportunity.
DR. ROTHSTEIN: Thank you, Bill. I appreciate your phoning in. I know how difficult it is. Have a safe trip.
DR. YASNOFF: Thanks very much. Bye-bye.
DR. ROTHSTEIN: Leslie, are you still with us?
DR. FRANCIS: I know that you are almost 15 minutes --
DR. ROTHSTEIN: That's okay. We are going to go over a little bit, so we do have time for a question if you have one.
DR. TANG: Mark, could you ask if Ms. Walton would care to comment on the question on claims data?
MS. WALTON: Could you repeat the question, please? It broke up over the transmission.
DR. TANG: Okay. My understanding is that there probably will be some pre-population of the Dossia health record with claims data. The claims data is known to be inaccurate, so the unintended side effects of having inaccurate information may either pose problems and lead one to make wrong decisions or mislead decision support programs that help patient and their providers make correct decisions.
One example could be, oftentimes for purposes of billing, you may be ordering a test. Every test must be associated with a diagnosis. It is common to --
DR. ROTHSTEIN: Paul, may I interrupt for a second? We are really out of time here. Maybe you can send a written question for her to answer. I want to give Leslie a chance to ask some questions. We are getting into claims, and that is something I want to try to avoid, if that is okay.
MS. WALTON: Maya has the contact information for me. I'd be happy to handle any followup questions. She has some e-mail and phone numbers for me. Thank you.
DR. ROTHSTEIN: Thank you. Leslie?
DR. FRANCIS: Instead of asking these as questions, because in some respects they have been touched on, but in the interests of time I will underline the following ambiguities that I noticed in several of the presentations. At least, these were things I wasn't clear about, not necessarily to ask for answers right now, but perhaps in the files for ongoing consideration of this.
First of all, particularly with respect to Carolyn's discussion, I wasn't clear about whether patients would be expected to pay for the record system, or whether it would be entirely free to patients.
MS. WALTON: Quick response. There is no charge to the founders' employees and their dependents for use of the system.
DR. FRANCIS: That was one question I had, whether there would never be a charge, because I imagine later institutions' charges being questionable.
The second question I had involves both Bill and Carolyn. This has been touched on. In the design of records, one issue is whether with a pull system, which is what I think Carolyn Walton was describing, a patient who sees a provider should be able either to exclude entirely that provider encounter or exclude aspects of that provider encounter from being pulled into the system, and whether even if it is pulled into the system there would be secure envelop, need to know kinds of design.
Obviously Bill talked about that with respect to a drug abusing, drug seeking patient, but there are lots of varieties of that question. Carolyn's description of a pull model didn't talk about that question.
The third question that I had was about, once the patient consents to having his or her physician have access to the record, it is very important to safeguard, even if the record doesn't go elsewhere, disclosures that the physician could make using the record. That is where the interface with employers' insurance and so on is.
So I would assume there would have to be additional patient consent for any of those other kinds of disclosures. The testimony is always brief, but I wasn't clear that I heard full answers to that in terms of what this would look like between disclosure to a physician and then whatever the physician in turn does with what is being disclosed to him or her.
So those were the quick points that I would want to insure that -- if the idea of this is non-covered health data benefits and services, and how should this relate to those. Those were the questions I had about that.
DR. ROTHSTEIN: Thank you, Leslie, I appreciate that. We have taken copious notes of those questions, and we will follow up on those throughout the day if we can.
I just want to take a couple of minutes to ask one question of each of our live witnesses, and then we will take our break.
The first question is a statement that poses a question, as many of my questions tend to do. It has to do with the Dossia system. The question had been raised about possible secondary uses. In other words, would employers have access to Dossia. The answer is, of course employers will have access to it, as will life insurers and disability insurers and any other entity that can condition a relationship on signing an authorization.
So if you want to sign for a job with XYZ company and they know your records are at Dossia, they can say after a conditional offer of employment, sign this authorization releasing all of your medical records from Dossia to XYZ company, whether or not they are members of this alliance that contributes health information.
So what I think would be really terrific, and I'll figure out how to phrase it as a question as I go along, is, if the members of this consortium which represent already at least three million employees in the United States, would agree to the following and work for the following. Number one, after a conditional offer of employment, when they ask individuals to sign authorizations to release their medical record, to see if they are fit to do the job they are doing, if they agree that they will only ask for information that bears on job related abilities, that is, that they won't ask for the whole record, they will ask, we are considering hiring Joe Smith to climb telephone poles and do these three other things, and we want that information.
B, in the design of this system, if they will work to implement recommendation R-12 from our June letter, which is to have the architecture of the system contain the ability for contextual access criteria, so that there would be the electronic ability to only disclose that information. If the Dossia alliance would do that, it would take a tremendous leadership role in corporate America in protecting the privacy of individuals.
So the question is, might they consider doing that?
MS. WALTON: The answer is yes. Let me say that when I said that we are pleased to work with this committee in any way possible, I offer that from Dossia's perspective as well. We have our first founders board meeting February 1 and 2, and at that time we will be focusing on the mission and charter of the work groups that will be involved in the startup process for the additional release of records.
Certainly one of those is focused solely on privacy. We would welcome that opportunity to have a dialogue to gain insight into your question/statements, so that we can insure that we are focusing on the right things in these early days.
DR. ROTHSTEIN: That would be terrific. You would get my personal hero award if you could do that.
The second question is for Professor Janger. Can you contemplate some sort of private FDIC model for insuring the financial solvency of health record banks or information exchanges so that we don't have this overhanging threat of the insolvency-liquidation selloff of records where there is no filing, but no consequence to the company? Are there models where that might work?
DR. JANGER: Short answer is no, but I have another idea.
DR. ROTHSTEIN: Okay.
DR. JANGER: When you think of an FDIC or a Jones Act or a PBGC type industry funded insurance model, what you are trying to do there is make sure that the industry as a whole internalizes the cost of its harms, which I think is an important thing to do. I think that is not necessarily a bad idea, but I don't think that it gets you the incentivizing function that you worry about with a Card Systems type, a thinly capitalized outsourced entity problem.
I suppose what you could do, thinking out loud here, is a piece of this would be to say, there are capitalization rules that go along with creating the fund. In other words, if you want to participate in the fund, you have a margin and you would have to be able to meet calls or something like that.
But I think the lesson here is a little bit different. What you really need to do is make sure that the individual actors have something at stake if they screw up, and that is requires a shift away from either a -- there are two pieces to it. One, shift away from a liability model to a public enforcement type model. Second, and I say this somewhat more advisedly, it may also require you to think about restrictions on the way people who end up with the information use it. In other words, restrictions that run with the information to the extent that that is possible.
That gets a little bit technologically tricky and can really chill information uses in ways you don't want to, but those seem to be the avenues that you have to go, because I think that the insurance model solves the harm problems, but we are talking about dignitary harms here, anyway, so it doesn't get you where you want to go.
DR. ROTHSTEIN: Thank you. I want to thank Dr. Yasnoff in absentia, and I want to thank our present witnesses. I want to apologize to those listening on the Internet and also elsewhere for running late.
We are going to take a ten-minute break to 11:20, and then begin Panel II. We will take the time out of the subcommittee's lunch somehow. Thank you all. We will resume in ten minutes.
(Brief recess.)
Agenda Item: Panel II - Non-Covered Health Providers
DR. ROTHSTEIN: Welcome to the members of our second panel. I know that you have the testimony of the first panel members.
Just by way of introduction, let me ask you if you can, you know we have got lots of questions. I think that is where we really benefit, from the give and take. We have got your written testimony, so if you could summarize or hit the high points of your written comments, focusing on the topic that we have under discussion today, that is, the possibility of extending HIPAA or HIPAA-like coverage to currently non-covered entities, and then we would like to explore those issues with you.
The first of our witnesses on this panel is Dr. Eric Light.
DR. LIGHT: Mr. Chairman and the committee, thank you for letting me speak with you today. An apology. Apparently we had trouble with electronically transferring files from Italy and the U.K. to you. That is why you received our remarks so late.
Also, as I listened to the testimony this morning and the questions that were asked, I realized that I may be raising more challenges than providing solutions. So bear with me as we try and bring you into a different world, those people who are health care providers, not in the traditional mold, and with many clients who want to opt out of the system you are trying to control.
What do you do when you have -- we will separate this medical spa world into two different categories right now. One would be aesthetic medicine where the medical spas you quite often see on the street are advertised, and also what we would call lifestyle medicine, or the lifestyle medicine spa.
In the traditional classic medical spa, you see minimally invasive services offered by physicians or under the supervision of physicians, so there is a complete understanding of HIPAA and the need for privacy and for patient records. As this expands, we are seeing greater interface with the medical world, because patients are moving from minimally invasive services into the operating rooms of plastic surgeons or cosmetic surgeons. So there has to be an exchange of data.
We also see an interface where a spa may be offering pre and post treatments to a surgeon to improve patient outcome. Where is the confidentiality of that record, where is the control of that record, what rights to the patients have when they move from a spa world into a medical spa world. That is an interface that we are concerned with as we look at it.
The second category is probably more problematic, that is, the lifestyle of wellness medical spa, which may operate under the supervision of a licensed physician, but will also be operated under the supervision of a naturopath or homeopath or physiologist or psychologist, all of whom are working within their scope of practice, but who do not necessarily provide traditional services or traditional treatments, are quite often shunned by the medical establishment, the insurance companies, corporations, although that is changing, fortunately, but because they have been shunned are loath to share their data with the traditional industries of medicine, and also who have clients who have opted out of the system to these complementary and alternate practitioners, and are also loath to bring their data back into the mainstream.
The distinction is that these facilities look at preventive care rather than acute care. It is preventive medicine rather than reactive medicine. The crisis point comes when a client does go into an acute care need. How do we transfer their preventive medicine data to the acute care system?
We don't have an answer for that right now. We have recognized the need to come up with a solution. We have also recognized the need to create an interface that solves the needs for both the practitioner and the client. It hinges on client control of data. Since they have opted out of the traditional system, they want to control their data more than the traditional patient in the medical world. So we are very cognizant of that, and that is why we are surveying practitioners, facility owners, their clients, manufacturers and particularly computer software manufacturers to see if we can create an interface that is viable.
We are going to need your committee's assistance in doing that, because we need to know where the connection points are and what you envision doing with this data.
The system I heard this morning from our colleague from Walmart was very fascinating to me, because it does talk about client control. It does talk about the client being able to enter the data rather than a physician or medical office. When we start looking at things that way, I think it becomes a much clearer alternative.
In the short term, we practice medicine a little bit differently, as I said in my remarks. We had a woman who came to a clinic because her doctor had her on painkillers and muscle relaxers, and she was getting gastric problems, and she didn't like the gastric problems. In the course of the interview, the physician assistant moved her purse aside, and it felt like she was moving a rock. This was an older woman who put her life into her handbag. It was weighed out at being 9.2 pounds. No wonder she was having shoulder problems. So they got her a fanny pack, they got her into massage therapy, and they sent her across the street to the golf center to have her golf swing worked upon.
Now, in the definition of medicine we had a problem, diagnosis, treatment, solution. She is off painkillers, off inflammation. He golf swing is better. Four weeks after coming off of pain medication she won her first tournament. We have a very satisfied patient.
A woman who gives up smoking puts on 40 pounds, has difficulty walking now, wants to go back to smoking. Instead, she came to a spa where she was given a simple metabolic test, FDA not approved, but permitted, done not by a licensed practitioner but by an aesthetician, diagnosed at a certain metabolic rate. She was put in a biooxidative bath, something that is not often found here in the United States, but is used throughout Europe, Asia and the Far East. The idea was to speed up the detoxification from the nicotine. She was also put onto a weight management program. She was given massage therapy to balance out the pyriformis muscles in her back. At the end of the day she was also given a manicure and a pedicure as a reward for giving up smoking, which meant that she stayed on the program.
Is that medicine? We had a cured patient, but it does not fall within the categories you have been discussing today and discussing I'm sure over the past few months.
We don't have the answers or the solutions that you might be looking for. We do know that we have a need to interface with your traditional forms of medicine much more clearly. The International Medical Spa Association has already started a dialogue within its industry.
We don't want more regulation, we want solutions. The problem we have run into is that HIPAA has been used as a weapon against us. We have a situation in Hawaii where a resort corporation forbad its aestheticians and massage therapists from asking health questions which might have revealed contraindications to services. Their legal staff told them that they did not want to fall into HIPAA requirements.
Unfortunately, since they took a release from the client, the court said it was a -- that obviated the need to follow the standards of practice. The upshot was, a woman who had never been to a spa before was given a seaweed wrap, but since nobody asked her if she had any allergies and nobody understood that she was allergic to iodine, she want into anaphylactic shock. A life squad was not called in time, and she died. A simple seaweed wrap.
We can't have that happen. We can't have corporations use HIPAA as a weapon to prevent good care. The court's decision is being appealed. We are actively involved in that appeal. I'm sure you are puzzled by how that could happen; so were we. But this is why we are concerned about the interface between what we do and HIPAA and any of your information --
DR. ROTHSTEIN: Excuse me. What are you appealing? The award of damages?
DR. LIGHT: No, what we are appealing is the idea that a release form from a client could supersede the need to take an effective pretreatment evaluation, in other words, a health questionnaire. The court decided that the technician who was dismissed because she asked a question was fairly dismissed rather than unfairly dismissed, because she wanted to defend her licensure.
DR. BERNSTEIN: What was it that prevented the spa from asking these questions in the first place?
DR. LIGHT: They had been asking the questions and the resort's attorneys said, oh no, that is violating HIPAA policy because we can't manage the health data, so they were no longer allowed to ask health questions.
DR. BERNSTEIN: And the attorneys wanted to avoid becoming a covered entity somehow by collecting medical information?
DR. LIGHT: Even though this was a resort and the data was destroyed immediately upon the person leaving the spa. It made no sense. I can see your faces, and you are shaking your heads, but this is our reality.
DR. BERNSTEIN: Unless they are taking insurance they are not covered, right?
DR. LIGHT: Of course not. But why did they feel the need to take that step? And it did happen.
I think in the short, since you have my remarks, and I hope the committee will allow me to expand and extend them based on what I heard this morning and not getting them to you because of electronic issues, that in the gist is what we are here for. So more about questions for you than solutions from me. I kept it short, so you are back on time.
DR. ROTHSTEIN: Thank you so much. I will take the golf lessons and all the other stuff that you are offering as well. We will I'm sure have questions for you.
Our second witness is Mr. Marquis.
MR. MARQUIS: Good morning. Are you going for the seaweed wrap as well as the golf lesson?
Mr. Chairman, members, thank you for the opportunity to be here today. I am here to talk about concierge medicine. When Maya spoke to me about coming here today, as she will recall, I was concerned about the fact that I didn't know anything about HIPAA. I was even using the wrong acronym, as one of my partners reminded me. But I have learned a little bit since we spoke, Maya, and I think I have learned enough to help the committee understand where concierge medicine fits in this puzzle.
You do have my written remarks, and I won't restate those, nor will I necessarily follow them here.
There is one important thing you need to understand, and that is, there are two kinds of concierge medicine, a term that really is used rather loosely, particularly in the last three or four years. As types of physician practices have morphed into different kinds of physician practices, different things have been added, different things have been tried, yet they all seem to fall under the rubric of concierge medicine. It is not really fair to think there is something out there that is concierge medicine and should or should not be covered by HIPAA.
As I said, there are two distinct kinds of concierge medicine. Many of you have heard perhaps of a company in Florida called MDVIP. This was the biggest mover today in one type of concierge medicine. I call this type of concierge medicine a fee for non-covered service or FNCS type of concierge medicine. It is very distinct from the second kind that I will describe to you.
Most of the national controversy about concierge medicine is around the FMCS style of MDVIP style practice. The controversy initially arose in 2002 as to the question of whether the physicians practicing this kind of medicine were in violation of the Medicare rules, because they were charging --
DR. HOUSTON: Could I ask a question? Could you give a simple example of what is FMCS? Just something so I can get a vision.
MR. MARQUIS: In that type of model, the patient pays the physician directly a certain amount of money, usually $1500 to $1800 a year. In exchange for that, the traditional form of this FMCS style practice, the physician would agree in exchange for that payment to give the patient a palm pager number, phone number, next day appointments, no wait appointments in the office, and shrink her practice down to 400 to 600 people, usually 400 people, 400 plus. So you have got a 3,000 patient physician going down to 400 to 500 patients in exchange for the money, which is paid in exchange for these, as I call them in my testimony, enhanced services and enhanced access to the physician.
That controversy erupted in 2002 because of the Medicare issue. If these physicians were still in Medicare, participating physicians, on the one hand they are accepting Medicare reimbursement and on the other hand accepting direct payments from the patient. In a perfect world there is something inconsistent with that.
Tommy Thompson concluded in 2002 that there wasn't anything inconsistent with that. I think that is a correct conclusion on his part. The services for which this money was being paid are not covered by Medicare. They are not even medical services covered by Medicare. Some writings since that time have indicated clearly that there really is no conflict between that type of practice properly run and Medicare rules as we currently understand them.
The reason it is important to understand the two kinds of -- for your purposes, two kinds of concierge practice is that these physicians are already subject to HIPAA. Of all the concierge doctors in the country, I would say 80 percent plus are practicing this kind of concierge medicine, and they are already covered by HIPAA. They bill insurance, they bill Medicare, and I think by definition as a result they are included.
The second kind of concierge medicine is very different. In fact, I will describe to you very briefly how that is about to morph into something that really does not deserve the name concierge, which is not the greatest word in the world to describe a medical practice, and everyone recognizes that.
I call this type of practice the fee for care model. The primary player in this field today, the most prominent, is Dr. Garrison Bliss in Seattle. Garrison has been practicing this type of medicine for around eight to nine years. It is not so much a concierge model. It is not so much that the patient is paying for extra access, although Garrison's practice is 800 to 900 people, which is half than the normal primary care physician practice. But the fee that he charges, and Garrison charges on a monthly basis, is for primary care. So when a patient agrees to pay this type of physician an amount of money, and some physicians charge an annual fee, some charge a monthly fee, that fee is really in exchange for medical care.
Now, most of us who practice in this industry believe, and I think it is an absolute truth, that you can't be in Medicare, you have to have opted out of Medicare in order to practice this kind of medicine. Garrison Bliss and others who do practice this kind of medicine have opted out of Medicare. They do not bill insurance companies. Some try to stay on the panels for referral and out of network purposes, but all these physicians do not bill -- none of these physicians, I should say, bill insurance companies and they don't bill Medicare.
If you are a family practice physician, and almost all of these physicians are family practice or primary care physicians, you get in exchange for your payment whatever that physician can offer you. If he is an internist, you will get internal medicine, you will get your babies delivered, you don't get your cut sutured up necessarily. If you are a family practice physician, then you get whatever is within her scope of training and experience in exchange for the money you pay.
Now, my written comments only refer to one specific part of it. On the next to last page, there is a quote of the GAO report which was issued in August of 2005. Congress wanted to know if concierge medicine, the FMCS style of practice, was interfering with Medicare and the access to health care by Medicare covered people.
The GAO studied this and determined there were 146 physicians in the country out of about 450,000 who were practicing that kind of medicine. I think that was an underestimate, although they tried to do an exact count. There certainly more than 146. MDVIP has more than that itself, and there are a heck of a lot more of those physicians than are working with MCVIP, but they are already covered by HIPAA.
So what about the physicians that aren't covered by HIPAA? Theoretically the fee for care models are not because they don't bill insurance or Medicare. I think most of them probably already comply, but I'm not sure they have to. But the comment made by the GAO was, there aren't enough of them to even worry about. There is no point in this.
I make the same point about the fee for care model. I would estimate there aren't more than 25 doctors in the whole country that are running that kind of model.
In closing, I'll point out that there seems to be a movement in that form of concierge medicine to something that is really quite interesting. You have to look to West Virginia and the legislation that was enacted there to establish a pilot program for so-called concierge medicine to provide care for the uninsured. That is one of the stresses that Garrison Bliss is attempting to instil in his practice as well, is the extent to which you can provide primary care for uninsured people for a relatively small amount of money. In fact, Dr. Wood as I mentioned in my written testimony estimates that he would have to charge $83 per month per patient in order to provide 100 percent of their primary care throughout the year.
So in short, I am here not to give you a magic reason why you shouldn't extend the HIPAA rules to every physician, but I can tell you that there are so few of them currently out there that are not covered by HIPAA, I'm not sure it is worth much of your effort.
Thank you.
DR. ROTHSTEIN: Thank you. That is a very interesting development that we would like to explore with you in a few minutes.
Our third witness on this panel is Tracy Powell on a totally different aspect of health care.
MR. POWELL: And I have got to start by telling you I am a little intimated here, and out of my league. I don't have a J.D., Ph.D, M.D. behind my name. I run a small business. The comments that I have, I am going to parallel pretty much what I submitted, because if I can keep it brief enough, I think it is important that you understand what part of the world we come from.
When Maya called me, she said we understand a little bit about your company. We have heard that you guys do things right with respect to privacy and confidentiality. Just to show how naive I am, she talked about HIPAA and she said, you are not covered by HIPAA because you don't do insurance billing. I said, I thought we were covered by HIPAA. So needless to say, I'd like to take credit for us being good corporate citizens and having done this HIPAA compliance on a voluntary basis, but the actuality is that we believe that it was legally and otherwise important for us and imperative to implement HIPAA into our business.
I think it is important that I help the group here understand what our business is all about, because it is a little bit different, and why we are so focused on privacy and confidentiality. In fact, our business is built on privacy and confidentiality.
The very first system that we developed, and we started our company in Chicago in 1993, and the very first offering that we wanted to bring to the market was to provide a solution to a public health need. In the late '80s, early '90s, people were at risk for HIV but they feared going to the doctor or a clinic because they didn't want to be identified for even taking a test. So literally, some people died of embarrassment, and that is just not the right thing. So we said there ought to be a way that you can develop a systematic approach that would allow a very high level of privacy and confidentiality accuracy with respect to testing, and we did just that.
So we developed the Home Access to HIV-1 test system. It was approved by the FDA in 1996. I want to take you through it very briefly so you understand why this thing is private and what we think about it.
The very first thing we did was, we said, in order to protect peoples' privacy and confidentiality, what is the best way we can do it? The best way in our opinion was, provide then an anonymous system. So we built a system that is predominantly -- there are components in here so that you can prick your finger, you put blood onto a card, you send this in with a prepaid mailer.
But the most significant component in here is this card, because this card has a code number, and it allows an community to anonymously -- informed consent is as simple as signing a number. There is an 11-digit number. You enter that along with your date. We instruct you to give us a couple of drops of blood. We then ask individuals to tear off the bottom part of the card. That is their anonymous code number. That code number then gives them access to a medical record. We ask them to call our system and enter that anonymous code number. That creates a medical record.
They then send this sample in. We test this. By the way, we test it at 100 percent sensitivity and 100 percent specificity for an FDA claim of greater than 99.9 percent. So this thing is really bulletproof accurate.
Someone then calls back for their results. They call an 800 number and they access this personal identification number. They get their results. If they are negative -- on an automated basis so that it is very convenient, unobtrusive. In the event that an individual is positive for HIV, an infective, deadly disease, that call is transferred 100 percent of the time to CDC, client centered counseling related counselors that are under our medical director's supervision in our call center, and they tell that individual what their status is, and they provide them with referrals and assistant to get them into follow-on care. They don't know the individual's name, but they know a lot of information about the individual, because our system asks people to opt in to give us data. That data includes demographic as well as risk data. Eighty percent of the people who volunteer through our system provide us that kind of data. So we get very rich information. When our counselors are talking to somebody that are positive, they know where they live in most cases, what their sex is, what their risk factors are, et cetera.
So this is an anonymous system. In my view, this medical system provides the utmost in privacy and confidentiality.
Next up, however, our friends in the public health world came to us. You remember hepatitis C in 1998, the Surgeon General said that hepatitis C was the silent epidemic, four million Americans infected with hepatitis C, and virtually none of them know it. So we developed a system in collaboration with some public health partners and the like.
One of the things that we learned that public health needed was, they needed to identify people, because what good does it do if you are out trying to deal with an infectious disease if you don't know who the individual is, you can't counsel that individual, and/or you can't communicate with that individual about their results.
So we built an add-on to the system to allow for confidential testing as well as anonymous testing. In the case of confidential testing with our company, it is 100 percent opt in, so we are not getting information from individuals that haven't allowed us to use that information. We are highly protective of that information, because again, we comply to the HIPAA compliance.
We implemented HIPAA compliance into our good manufacturing practice procedures. That was in 2003. Most recently, we are now developing a new methodology, a new platform that is similar, but we are separating red blood cells. So it is a couple of drops of blood, but we separate red blood cell from serum. So with the new platform we are looking to help screen and avoid common chronic diseases like diabetes, cardiometabolic disease, cholesterol related heart disease, et cetera, with a highly accurately mail-in test that can either be anonymous or confidential, depending on the venue. In other words, the public health department we will use confidential. A consumer, if you go to retail and you want to buy this, you would probably prefer to have an anonymous type test.
DR. ROTHSTEIN: Like the HIV test.
MR. POWELL: Like the HIV test and like our hepatitis C test. You can either get it anonymously or confidentially, again depending on the sponsor and what the venue of service is.
So in conclusion, I can't offer this panel nearly what others can in terms of depth for regulatory systems, legal, et cetera. I can tell you from a small business guy's perspective that I think anonymous testing is a service that has been needed and will be needed, because there are people that won't test, that won't give their information unless you provide that sort of convenience and courtesy.
Confidential testing, we are absolutely committed to doing it. With respect to new laws that may come into effect, whether or not they would impact us, even if there were a new law on national health information and it didn't apply to us because we were not doing insurance related billing -- although we are probably going to be doing that too, but even if we weren't, we would comply with the law, because we think it is the right thing to do for our business.
But I will say this. As a small business, I think what is most important is that you look to develop a system for connection, compliance, et cetera, that is as simple as possible for adherence on the small business side. I think it also needs to be one that is least amount of onerous cost, et cetera.
Those are my thoughts. I think you guys have a monumental challenge ahead of you. With that, I wish you all the best of luck. Thank you again. I am honored to be here on behalf of Home Access.
DR. ROTHSTEIN: Thank you for that assessment, which we share. Now our final witness on this panel is Mr. Jon Almquist. Welcome.
MR. ALMQUIST: Thank you very much. On behalf of the NATA, the National Athletic Trainers Association, thank you for allowing me to come and talk to you today. We are an association of 30,000 licensed and certified athletic trainers.
Again, my name is Jon Almquist. I have been an athletic trainer for 24 years. Currently I am the athletic training specialist at Fairfax County Public Schools, which is the 13th largest school system. We deal with approximately 25,000 student athletes a year that we are providing health care for.
Let me first explain a little bit about what the athletic trainer is, because we are in an identity crisis with our profession, and there is a lot of misunderstanding in the public with regard to the term trainers. We are athletic trainers, not just simply trainers. We don't want to be confused with the dog trainers, the lion trainers, and more importantly the personal trainers who deal with getting healthy people stronger and faster or lighter and quicker.
We are certified athletic trainers who deal with the prevention of athletic injuries, the evaluation, the assessment, the treatment and the rehabilitation of athletic injuries.
Athletic trainers must have a four-year degree or a bachelors or a masters degree and then sit for a national certification exam. In 44 states we are regulated. For example, in my state in Virginia, we are regulated by the board of medicine. We are all licensed in that state to practice the art and science of athletic training.
Approximately half of the athletic trainers work in the secondary schools, colleges, professional sports, and the other half work in hospitals, physicians' offices, clinics and corporate wellness centers and other specialty settings.
I have served as chair of the NATA Secondary School Committee for ten years. I just got off that ten years worth of service. With this background I would like to speak to you about the delicate balance between the FERPA and the HIPAA privacy issues and how they impact the student athlete in the secondary schools.
The whole issue of privacy in our setting can be very frustrating. In order to provide appropriate care, there has to be a dialogue between the treating physicians, which aren't always the team physicians, in high schools as they are in colleges. We could have 150 students we are dealing with in any one week, and they could have 125 physicians that they are working with as far as their primary care.
The communication between all these health care providers is essential to providing adequate care. What we find is that there is a misunderstanding or sometimes it is just a fear that nobody can speak to anybody. That is a concern that is detrimental to us providing health care to our athletes.
The NATA doesn't have a policy or position statement regarding which rules to follow, whether it be HIPAA or FERPA, but we leave it up to the employer, whatever the athletic trainer is employed by, their privacy rules and regulations, that is what they should follow.
Within the secondary school setting where athletic trainers are employed, there is two primary employment models. One is when the athletic trainer is employed by that school, paid for by school board funds either as a fulltime athletic trainer or an athletic trainer and also a teacher. Usually they get paid for the athletic training duties in a stipend form.
Their employer is the school, and all the records are created by school employees, and therefore it is pretty much a no-brainer, it is a FERPA issue. But when it gets a little foggy is when the athletic trainers are employed by the local hospitals or clinics or physicians' offices, and then they are providing care to the athletes in the high school. Sometimes there is a monetary fee that is paid and sometimes it is paid through the clinic. That subsidizes the athletic trainer's salary within the clinic hours that they work within the clinic walls, and then they go out to the high schools in the afternoons and take care of the student athletes. Sometimes they are paid directly by the school in stipend form, so they will work for a clinic for a very small salary, ridiculously low, to be honest with you, but we are working on trying to raise those. Then the supplemented stipend would then supplement their overall salary to make a go at it for an annual income.
Then there are situations where as a clinic employee that is a HIPAA covered entity without a doubt. But then they go into the school and start creating documents there, and there is a fuzzy area of who owns what.
I say this, because we have dealt with the issue quite extensively in our particular system. We have two division attorneys on staff and we have been looking into this quite extensively. But the stories you hear from outside from all over the country as the chair of this Secondary School Committee, the consensus is that there is no consensus. That is where some of the issues crop up.
So the bottom line is that when we are an employee of two different entities, one is FERPA, one is HIPAA, where does it cross over, where are the dividing lines, where are the Chinese walls, is what the attorney that I spoke with mentioned.
So these are some of the issues that we have dealt with.
DR. ROTHSTEIN: Thank you very much. I want to thank all four of you for keeping us on time and on point by focusing in on the issues that we asked you to address.
I know we all have questions. We are going to go in reverse order from the first panel and start with Leslie, and give you the first question. Are you with us?
DR. SCHMIDT: She did mention when I spoke to her yesterday that she might have to teach a course today.
DR. ROTHSTEIN: Okay, professors also sometimes work for ridiculously low salaries, but they still have to do stuff.
Simon, would you like to begin?
DR. COHN: Sure. I want to thank you also. I thought that was very interesting testimony.
I just wanted to clarify with you, Eric, as well as Jon, the perspective that you are providing. As I was trying to divine the reason for your testimony, it appears that the reason that you are not covered entities is because there is no insurance transactions? There were absolutely no transactions that occur? It seemed like there was a mixture in some of this stuff.
DR. LIGHT: We have a mixture. The problem is that we have various models of medical spas. Some are located in hospitals, some are located inside an existing physician's practice. So in that case, they are operating within facilities that are covered by HIPAA. The recordkeeping is in conjunction with normal practices inside the medical institution.
But when you start looking at adjuncts, when you start looking at facilities outside of the traditional medical model, is where we start running into questions. It is not so much the question of whether it is covered or not, but more about the interface. That is what my concern is, is where does the interface come along.
Let us assume, for example, that a medical massage therapist, and I use that term particularly, because for example in Ohio, a massage therapist has a limited medical license for the practice of massage. One of two states, Washington is the other. Let's say that massage therapist has a practice where patients or clients are referred by physicians. The physician may be charging that client an extended fee because there are some adjunct therapies involved.
The medical massage therapist may be issuing records that that patient themselves can then submit to an insurance company. Where does HIPAA come in there? Where does the confidentiality come in, but more importantly, where does the interface of data come in, not only between the physician and the therapist, but as you talk about this global model, how does that patient's data go into the global model? What I heard this morning was that the patient could have control of the place to get into the model, and that is important. They can go and scan their record into the back, and that would be useful.
The wellness medical world, part of which is anti-aging medicine, but has a lot to do with endocrinology, has a lot to do with preventive rather than reactive care. What does happen when a patient has to transfer from preventive into acute care, and how does that data move from one world to the other? Again, it is not a question of whether HIPAA applies, but it is a question of the interface. When you look at your models, I ask that you think about and help us understand where the touch point could be, how can we work a system in such a way that those people who have been shunned by the traditional medical community as being out there in that far out third world medicine, which has a 5,000 year history of operating, how do we interface into the traditional world of recordkeeping?
Understand that in China, the physicians are paid only when the patient is healthy. The minute the patient gets sick, the physician is no longer paid. That is the antithesis of our system, but that is where a lot of consumers want to be. They are willing to pay the physician to be well and resent the fact that they wind up sick.
CDC data says that 35 percent of Americans suffer from a preventable lifestyle relate disease, and 24 million of them will die from the disease. If a woman breaks her hip and goes into a nursing home for longer than six months, there is a 40 percent mortality rate. Why not take calcium? Why not get a metabolic test at a spa that can show you where you need to build your supplements? But that is medicine.
DR. BERNSTEIN: I think the question that the committee has is less about the legitimacy of the practice, but what in practice for these kinds of caregivers -- what is the practice with respect to how they keep and guard the information that they do collect. They are collecting information, some of which can be characterized as medical information. What is the general practice in your experience in the medical spa community with that information? What happens?
DR. LIGHT: In many instances where it is within a traditional medical practice, it is following electronic guidelines. Most of the practices outside that world still work in a paper system. They are taking personal notes.
There are some new technologies which now intake via PDA into some new software that is coming, but it is mostly paper. I will share with the committee two forms that I have picked up from suppliers.
DR. BERNSTEIN: Maybe you misunderstood the question. What I am asking is not what is the technological practice, but what is the practice with respect to protecting the information, what rules apply, what self imposed policies, ethical rules and so forth.
DR. LIGHT: There are no rules within the industry. Outside of those covered by HIPAA, there are no rules within the industry. We are working to help develop guidelines, but there are no rules. Most people use a common sense approach and say, we lock these things up under key, because our clients expect a certain degree of confidentiality, but there are no fixed rules.
DR. ROTHSTEIN: It seems to me, just to follow up, that from your seaweed example, the industry would be opposed to any sort of regulatory system that tended to require the suppression of important information.
DR. LIGHT: That is correct.
DR. ROTHSTEIN: Even though we discussed that it really didn't in this case. Would it be fair to say that in exchange for this open communication that would value the practitioners in these spas, that the industry would be prepared to have itself covered under some reasonable regulation to try to protect the privacy and confidentiality of the information? Conceivably a result would be more customers would be inclined to avail themselves of your services.
DR. LIGHT: I'm not sure I can speak for the industry as a whole, because it is so varied. I think that there is a movement towards the medical spa, the wellness center, as the alternative to conventional health care. This question has not been adequately addressed. I think that the dialogue is ongoing right now. It started partly because of your invitation, but had been started prior to that and how we manage records.
We are hoping to come up with some codified system. It would most likely be on a voluntary basis, because we have no means of enforcement. But the fact that we would consider creating standards and looking to people to accept them, because consumers want them to be accepted, is I think where we are going.
DR. ROTHSTEIN: Mr. Marquis, same basic question.
DR. FRANCIS: I wanted to follow up on Mark's question as it gets back to both of you. It seemed to me from what I heard that there were two different kinds of questions. Mark's question suggested how they were related.
The first kind of question concerns the current HIPAA regulatory regime, which is, is it creating for you problems in getting access to information, most particularly because there are covered entities that can't share rather than because within your shop there are misunderstandings?
That is one set of questions. If we are charged with looking at the HIPAA privacy protection rules, we need to know whether they are creating unanticipated problematic consequences for the quality of care that you get. That is one thing.
The other side of the question is what Mark was pushing on. The question for us is, should we be thinking about recommending some expansions of privacy protection for the kinds of records that you all have. In which case, the question of would you be willing to accept some of that in exchange for the benefits that you get is an important question, but also, are there features of what goes on where you are that would be different that would need to be borne in mind with respect to the question of extending privacy protection, like decentralization, for example.
Did that make sense?
DR. ROTHSTEIN: And that was directed to Dr. Light?
DR. FRANCIS: It was actually directed -- what I was meaning to do was to say that as we look at both athletic trainers and medical spas and other kinds of entities that currently maintain health information, but that don't come under HIPAA, what we need is to know both the problems that HIPAA is now creating for them, not because of misinterpretation, and the question of whether there are special aspects of their circumstances that it is particularly important for us to know about in terms of expanding or thinking about whether HIPAA protections ought to be expanded.
MR. MARQUIS: Mr. Chairman, could I take a shot at that?
DR. ROTHSTEIN: Please.
MR. MARQUIS: The gentleman on my left, Tracy, made a point earlier regarding being a small business person or starting a small business, and the difficulty of meeting all one's legal and other expectations financially and maintaining a viable business.
I want to relate that to the Dr. Woods situation in West Virginia. I think that it is true that to the extent that a physician does not bill insurance companies or Medicare and therefore would use electronic media billing, they are not covered by HIPAA.
Now, to the extent that the Dr. Wood type of practice that is simply a cash only, would not be covered by HIPAA, to require HIPAA compliance to the extent that that would increase the cost of Dr. Wood's doing business, would be from a business standpoint unfortunate for Dr. Wood.
I think that Dr. Wood would tell you that at $83 a month for helping uninsured people find health care, he is on a shoestring, and his margin is very, very small. To the extent that he is not covered by HIPAA, to require him to do something extra that he is not now doing, and I don't represent Dr. Wood, I've never met the man, I have read articles about him, but to the extent that he would have to do something that he is not doing now that was going to increase his cost could have an adverse effect upon the viability of the practice that he is trying to maintain.
I think that is the point that the gentleman here was making about imposing an extra requirement on his business, which would simply add to the cost.
DR. ROTHSTEIN: But just a followup. In the concierge world, correct me if I'm wrong, there are various motivations why physicians would want to embrace this model. Frustration with all the paperwork, they can't give adequate treatment in such small time blocks and so on and so forth.
Am I correct that avoiding HIPAA responsibilities in the very few practitioners that would be so affected is really not a motivation of these physicians?
MR. MARQUIS: I think that is correct to say.
DR. ROTHSTEIN: So if we were to continue our recommendation that HIPAA style requirements applied across the board, there would not be this huge outcry of anguish from Seattle, right?
MR. MARQUIS: I can't speak to what Garrison Bliss might outcry to. For all I know, Garrison is already HIPAA compliant. I have no way of knowing. He is a very sophisticated physician and runs a very sophisticated practice.
DR. ROTHSTEIN: And covering him may have no effect because he may be compliant for all we know anyhow.
MR. MARQUIS: Yes. I do know, although I don't have any dealings with the physicians, there is a fairly large organization of physicians, the cash and carry, the retail type physicians, that have nothing to do with concierge medicine. They are just, I'll see you at the door and you pay what is on the wall.
DR. ROTHSTEIN: The doc in the box.
MR. MARQUIS: Not necessarily. These are private practitioners that are just cash and carry, who are very adverse to HIPAA, as I in my studies in the last two weeks have revealed. But I don't represent those people.
But I think the basic premise is correct. A motivating factor for physicians getting into the fee for care model to my knowledge has never been avoiding HIPAA.
DR. ROTHSTEIN: Thank you. Harry, you have been patient and John as well, and then we will get to Paul.
MR. REYNOLDS: Thank you. One thing about being on this committee, you get to learn. I thought all of your testimony was excellent.
If you look at three kinds of entities that we are dealing with, HIPAA has covered entities so those are clearly defined in the industry and everybody understands that. We have looked at this whole new world of the Nationwide Health Information Network and other things, and technology vendors. Those of you who were here this morning, you heard how data is going to go from one place to another, and the person who touches it may have nothing to do with HIPAA, but they have the key information.
Then the third is this set of caregivers and advisors that are involved with dealing with people that are really not what would be considered a HIPAA covered entity, may not be an insurance covered entity, may not be a medical covered entity. You have laid it out clearly as to what it might be. I was interested from a standpoint of dealing with the schools. You may be one of the few caregivers that some of these people actually see as a medical trainer, because some of these kids might not be going to the doctor regularly, but they are playing sports and they are seeing you every day. So that is another environment as you try to improve care for the uninsured, you guys are a first line of defense.
I think they key point is, as we look at all three of those, in the end if you are looking at the person, the person has personal health information. Let's forget the HIPAA definition, that is personal health information to them. What we are trying to do, whether HIPAA would be advanced -- and I know HIPAA covered entities is a big deal to a lot of people. Having been a payor, I understand it, I implement it, so that brings a whole lot of things to the table, and for small businesses and others that brings a whole cadre of things you have got to do and expenses and other things that are outside the norm.
We have a sense that if somebody touches somebody's personal health information, they should protect it. If I played off of the testimony this morning, the idea of the bankruptcy, the idea of selling off to somebody else who could get the member list, could get the documents there that are key, I would just like you to quickly say whether or not you also feel that it is protected health information and that it should be protected for the individual, is really what I am looking at, if you could expound on that in any way.
Again, it is about protecting the information. If we go into a nationwide health information and we pulled in things like the spas -- in other words, if I am a patient and I say I want my full record and by the way, I'd like the health from the spa, now it comes into a whole new world of protected.
One of the things that we are trying to look at is protecting this information, and right now HIPAA only went to a small administrative group of people. You are absolutely in many cases not anywhere near that. So we are trying to look for some kind of way to move the ball. It may not be to hand you HIPAA, but it has got to be something to insure that that person feels that their information is protected.
DR. LIGHT: In answer in part to your question, yes, there is an absolute requirement that peoples' information be maintained confidential. To what extent people are enforcing that or what procedures they use is unclear, because there is so much differentiation, but it should be protected.
The place we run into more difficulty with is not the information going upward through the food chain, but coming downward, where people say you are not a HIPAA kind of place so we are not going to share -- you don't qualify under HIPAA so we shouldn't share that information downward, where it is just as critical to have.
So if there is anything I would like you to consider it is that it is a two-way street, and that HIPAA should not be used as a barrier for sharing information to non-traditional practitioners.
DR. ROTHSTEIN: They could share it with you, but if they assumed that you are not engaged in treatment, then they would need some sort of release or authorization from the individual.
DR. LIGHT: Right.
DR. ROTHSTEIN: So if you were considered in a treatment relationship under the HIPAA principle of treatment disclosures, then they could do it. It would depend on what services you were providing, whether it is massage therapy or golf lessons or whether it would qualify. But I think your point is well taken.
MR. POWELL: I don't know if I really completely understand the question or HIPAA for that matter, but I can tell you that in our case, we absolutely as I said earlier believe that the individual has to be assured that that information is protected.
So again, this may be naive, I flip now to say yes, I think there is an issue with respect to costs for small business, no question about it, Jon. You have got to bear in mind how onerous is it for that individual to implement something the likes of which HIPAA. But now from a small business, where is the good in my view to have a standard that you can have a system that is trusted, I think there is a lot of goodness in that.
I don't know if I want to extend that beyond HIPAA all the way into the national individual health system because frankly, I don't know how you control individual coming from so many disparate systems. My brain fries trying to think through it.
But that said, and I don't know if I answered your question, I believe very much in protecting individuals' information. If there are systems for reasonable costs on the part of small business to build connections, interfaces, compliances with that, I am all for it.
MR. ALMQUIST: If I may, the certified athletic trainer through their education is well aware of the importance of privacy and confidentiality amongst their care and their records. But we do have that misunderstanding.
I understand what HIPAA is supposed to allow in transfer of individual to two medical professionals providing care. But the problem is that the physicians' offices are running so scared that instead of allowing that, they just say no to everything, and that compromises overall care.
So if there is a new reform, that it would be spelled out a little more clearly perhaps. I know when this first hit the press it was a lot of misunderstanding and everybody was running all over the place. Maybe that is what caused all that tightening up, and they never let go. But if that could be addressed with regard to making sure people understand that you can share information amongst two people providing care, that would definitely help in our situation.
DR. ROTHSTEIN: Thank you for that point. That has been one of our mantras for the last five years, the need for education among providers as well as the public.
DR. FRANCIS: I found that to be helpful. I also found points to underline and think about more the question about the interface between the HIPAA regime and for us.
DR. ROTHSTEIN: The question, Leslie, was raising the interface between HIPAA and FERPA. That was the subject of a hearing that we had in September. It is an issue that we are not through with, and it is one of great concern to us.
I think Mr. Armquist would agree with the sentiment that we need to resolve this conflict and the gaps and the overlaps to make the FERPA and HIPAA work together seamlessly so that information that needs to be protected is, but people can still do their jobs.
We were concerned at our hearings with school nurses getting immunization records and that sort of thing. We just heard a new twist on that today.
DR. FRANCIS: Right, I just wanted to bring that up and make sure we didn't forget about that.
DR. ROTHSTEIN: No. Thank you for reminding us.
DR. HOUSTON: You answered the question I was getting ready to ask you. It speaks to the fact that whether it be a trainer or whether it be a school nurse, you almost fall into the same bucket because you are trying to speak to physicians about something related to child care. I think we need to make sure we don't lose sight of that, regardless of where we lump these two things.
I do have a couple of other questions, one for Tracey. You said you voluntarily comply with HIPAA.
MR. POWELL: To the best of my knowledge, yes. Don't ask me how.
DR. HOUSTON: I was going to ask you how much. I was just wondering about the burdens. Often the issue comes up that the costs associated with HIPAA compliance is so great that it has a detrimental impact on whomever, and that is one of the reasons people don't want to extend the coverage of HIPAA.
But if your company is the poster child for yes, you did it and it made good business sense, do you have any statistics on what the cost was or what the effort was?
MR. POWELL: i don't remember any specifics. I do remember pain. But again, it was pain that I felt was legitimate.
Just to put it in perspective, you don't feel pain like you do going through FDA approvals for Class III medical devices. That is real pain. But there was a cost burden, both in terms of developing procedures, understanding what it is all about. Somebody at my organization had to do that, not me. Somebody had to develop the systems, the procedures, the training, all part of our good manufacturing practice.
So there is a considerable amount of effort, energy and some expense related to it. But that said, I am okay with that.
DR. HOUSTON: Do you believe that the value to the business outweighed the cost in this case?
MR. POWELL: I did, or I probably would have challenged it much harder than I did. I felt it was something that, if you are going to be mainstream in dealing with organizations that are covered, and whether we are or we aren't, if we are dealing in that world, it was important to us. It was an imperative.
DR. HOUSTON: If I could ask one question of Eric and Mr. Marquis, there is a group of physicians who have not had to comply with HIPAA because they don't electronically bill. Where I see the touch point with HIPAA potentially needing to apply is where there might be an interest in getting information.
I understand, Eric, part of your testimony was just that, how do you exchange information, but I am going to ask the question in maybe a little bit of a different way. With the development of the Nationwide Health Information Network, there is going to be this body of information that is going to be readily available.
I am going to make a statement and let you respond to it. I think it should be appropriate that if you want to participate in NHIN or get information from NHIN, you need to agree to a set of standards, in this case HIPAA or something very much like HIPAA that protects patient information and privacy information and security and things like that.
How would you react to that statement, both of you, in terms of yes, do you agree? Would it be something that your constituents would be willing to agree to? Is it something that doesn't sound right, or does it sound like something that is appropriate or reasonable?
DR. LIGHT: If you want to be part of the club, you have got to play by the rules. I think it is as simple as that. If you want to be part of the system or have access to the system, you have to comply to a set of rules.
Having said that, I don't want the lack of membership in that club to act as a barrier to the safety of the consumer or the patient. That is the concern. So the control, should it be between the club members or should it be between the person whose health is essential to the whole question, and that is the client or patient or whatever you want to call them?
But just from practitioner to practitioner, I think there needs to be some rules. I just hope you will have some flexibility, because our businesses are so different in how we apply the need, not how we recognize the need, but how we apply the need.
MR. MARQUIS: That question puts me in a position that I didn't want to get in when I came here. I'm not here representing the great body, if there is a great body of physicians out there who are not covered by HIPAA to state their position. I am here to describe the small segment of concierge physicians that likely are not covered by HIPAA, and likely wouldn't be, to please if they heard me say they should.
I have not had a discussion with any of them other than a general discussion over the years about HIPAA generally. Obviously they don't feel very kindly toward this when they are charged with implementation.
There is one other -- when you mentioned the cost of HIPAA, there is a retrospective cost that Tracey was referring to. There is also a prospective, unknown cost. That is, you have created -- not you folks, but government, have created a whole body of plaintiffs out there who could be looking for HIPAA violations. Not that there is a professional group of plaintiffs looking for these things, but that is the reaction you get from some physicians; when you tell me I have to comply with something, I better comply with this or I am at some sort of risk. I don't think that risk exists frankly, but you do hear that from physicians as part of their costs.
DR. HOUSTON: We are whispering over here that there is no private right of action under HIPAA, but it does raise an interesting issue. If you are voluntarily complying with something and if there is a voluntary compliance component to it and you don't do it, would there be liabilities that would attach because of that.
MR. MARQUIS: There is a difference between saying there is no private right under HIPAA and the establishment of a standard the breach of which will create liability and the standard in a state court might be HIPAA compliance.
DR. BERNSTEIN: I will quickly point out, I was writing a little note to Mark here, that that is an extremely good point. Just this week someone passed me a note that there was a North Carolina case, a private suit, in which HIPAA was used as the standard of care, even though there is no private right of action.
DR. ROTHSTEIN: Paul Tang?
DR. TANG: I'll pass, thanks.
DR. ROTHSTEIN: Thank you. Anyone have followup questions? I have asked my questions.
DR. BERNSTEIN: I wanted to ask Mr. Powell about the confidentiality rules rather than the anonymity. In the case of anonymity it really is anonymous and you couldn't put together the types of data you have, not an issue. The patients are not identifiable. You might be able to do some research on it, but if they really are not identifiable.
I wanted to ask you to talk a little bit more about the rules that you said cover the public health tests that you are doing that have confidentiality rules that are not anonymous. How does that work? How do those things differ? Could you just elaborate on that?
MR. POWELL: I'll try. Let me just say, with the anonymous testing there is a value to the data. We have provided data at certain times to the likes of CDC, FDA and others, where we were able to look at demographics. So you could theoretically look at outbreak areas in a country. So there is some good value with respect to anonymous data.
The question I have is that going to be thought of as connecting to this, and it seems like on the surface, no.
What we do in the way of confidential testing when we first started looking at this, it was predominantly to help public health departments, because they would say anonymous testing doesn't do us any good. The reason for that is, we need to get our hands on these people and we need to get them in to -- we need to do partner notification, we need to try to get them into -- you have a question?
DR. BERNSTEIN: Is that not the case with HIV? There are some states that require reporting for positive HIV tests too. Why is there a difference between those other kind of tests and the HIV tests?
MR. POWELL: It is not just HIV. It is hepatitis C as well. Typically, at least in my dealings with public health officials, they are first and foremost truly looking to help those individuals, find those individuals, stop the spread of the disease. How do you do that anonymously? I don't want to get -- that is a whole other tangent.
So we said, our anonymous system may not be good for you in certain venues. So we will put together a system that will provide you a confidential and on an opt-in basis, and it is completely at their volition, do I want to opt into a program.
As an example, we will do programs in churches. We will do programs in community outreach centers. So individuals are typically asked by outreach workers, do you have risks for -- I'll take hepatitis C for a minute. There are six or seven different questions that you can ask, and you can do it on a piece of paper or over the computer or over the telephone.
What we try to do is educate individuals before we go to testing, so they can find out whether they are at risk through a very easy to use health risk assessment. When we get someone to go through the risk assessment, and it is determined that this individual is at risk, then these workers will suggest that you are at risk, so you should think about taking a test. In many cases, this test is underwritten by the likes of a public health department, what have you.
So it is an opt-in basis. It is confidential, because now in this case they know who the individual is. One of the reasons why that is important is, when we are testing, to make a test highly accurate, it needs to come back to a laboratory and we do confirmation. We do ELISA testing and confirmation testing; that takes some time.
DR. BERNSTEIN: Do you know who that individual is, or just the public health entity know who it is?
MR. POWELL: We will have a record on that individual.
DR. BERNSTEIN: An identifiable record?
MR. POWELL: A code number and an identifiable name, if you will. We will have other contact information that we will get. All of that information is highly protected in our system. I can't tell you how, but I can tell you it is.
DR. BERNSTEIN: Jumping off what John was saying, presumably if you have a highly protected privacy system, then if you were to be regulated by some scheme, the increase in your costs would probably not be that great, because you are already doing a lot of it, anyway.
MR. POWELL: I always felt as I said earlier that we were regulated, so little did I know. Our FDA system for hepatitis C testing, it is highly regulated. So even though we are not billing insurance in that case, I felt that HIPAA was absolutely critical to protecting.
DR. ROTHSTEIN: But you do suggest a new strategy that we might pursue, and that is instead of legislation or even regulation, we could just spread rumors that all these other entities that we are talking about are covered.
MR. POWELL: You got me. Did that answer the question?
DR. BERNSTEIN: Yes, it did somewhat, yes. I wanted to also ask Mr. Almquist a couple of questions. One is, we heard in our September hearing from school nurses, I don't think I have ever heard this before in a hearing, but they said they would like to be regulated by HIPAA. They would not like to be regulated by FERPA. It seemed like the reason for that as I understood it, and other people who were there can jump in, that the Family Educational Rights and Privacy Act was designed to protect school records, and did not take into account the fact that the school nurses are essentially a public health organization. They are seeing things like immunization issues, they are diagnosing autism, where it was more often diagnosed in schools than a medical setting, they are having trouble reporting to public health entities, and doing other things that a health care organization would normally do, because FERPA did not consider that some of the school records are health records and just didn't take them into account. It is actually much more narrow in its exceptions to where you can share information. They said they would rather be covered by HIPAA.
Do you know if NATA would take that position or if the athletic trainers would take that position? I don't mean to put you on the spot if they have taken a position, but since there is that complication, would it be better for you as a health care providing organization?
MR. ALMQUIST: I don't think that NATA has taken a stand one way or the other. But I do know that the -- everywhere you go, you are getting an individualized understanding of the situation. So how our school district looks at the whole situation between HIPAA and medical records and FERPA and our employees, whether it be the school nurses, who in our system are government employees because they are from the health department, they get contracted to work in the schools, as opposed to being school based employees. So there are a lot of controversies.
The inconsistency is one of the biggest problems. That is what the attorney explained to me, the Chinese walls. If the person is contracted within the school system to provide the care and develop the records, then those records are in fact FERPA records. But is another attorney in another school district looking at it in a different way? That would be the biggest question, to flush out what is right first and then determine which way you want to go, do you want to go with the HIPAA or the FERPA.
But it does appear that when you are within the school, there are individuals who do have a need to know about a certain issue that may not be from a medical profession or from a medical angle.
DR. BERNSTEIN: Teachers, coaches? Who are you referring to?
MR. ALMQUIST: The teachers and the coaches. Especially in our setting with the athletics, it would be the coaches, who may need to have information with regard to a medical condition that one of the athletes has. If we were under HIPAA, the way I understand it to be now, we would not be able to provide that information to the coach, as opposed to now that we are FERPA, we do have that latitude to expand that area of information.
DR. ROTHSTEIN: I want to thank all four of you for very interesting testimony, and to alert our listeners on the Internet as well as our phone colleagues that we will stand in lunch recess until 1:30 Eastern. Thank you.
(The meeting recessed for lunch at 12:50 p.m., to reconvene at 1:45 p.m.)
DR. ROTHSTEIN: We are back on the record for the afternoon session of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics and our hearing on privacy protections for medical records of non-covered entities.
This afternoon we have got a variety of things to discuss. We will go through them in order. As we get to them I will explain more or less where we are in each one of these.
On your agenda you will see that we had listed a panel discussion, and it will not be a panel discussion. Only Mr. Goldberg has been able to attend, and we thank you very much for coming. So what I would propose that we do is have him provide background and his view on the scope of HHS authority to, if it so chose, extend protections to the full extent of the statutory authorization, and then the subcommittee can use that background for its followup discussions among itself to see where we want to go with this.
So with that as background, I want to welcome you and thank you for coming, and we are anxious to hear what you have to say.
Agenda Item: Scope of HHS Authorities
MR. GOLDBERG: Mr. Chairman, members of the committee, guests and listeners, I am honored to be here and privileged to have this opportunity, thank you.
But first, a disclaimer. I am of course an attorney at law, and my training over 40 years of practice of law has been related primarily to being a zealous advocate in behalf of clients. That is not what I am here for today. So I disclaim anything I say as being for and in behalf of anyone I have ever represented or I might now represent or I might at any time in the future represent, and I disclaim anything I say being for and in behalf of anyone I work with, for or am likely to be affiliated with in the future.
DR. ROTHSTEIN: So noted.
MR. GOLDBERG: With that as preface, I want to say one other thing. I am humble, being before you. I am not licensed to practice health care. I believe each and all of us who are embarking on any course that affects or could disturb the delivery of health care must indeed be restrained, sensitive and focused on the fact that those who do deliver health care are unique, special and certainly to be commended for what they do. Our goal has to be not to interfere with those efforts as, much as we can, while being mindful of legal obligations and constraints.
Now getting right to the point of your question to me, which is, what is the authority and is there expansive authority for and in behalf of the Secretary of Health and Human Services to address additional privacy concerns in our society today.
I believe the Secretary is limited by the statutory authority that exists under the Health Insurance Portability and Accountability Act of 1996, administrative simplification, subtitle, in several respects. I believe the authority is limited insofar as transactions of electronic natures are a part of the authority base for the Secretary, dealing with financial and administrative aspects, although I know that the Secretary may increase the numbers of transactions, so there might be some vehicle for some expansion.
I know also that the privacy rule is worthy of special note, in that it is probably the briefest portion of the HIPAA statute, about which so much has been written and so much has been promulgated in the rulemaking based on several sentences in the statute. But I believe that the Secretary is constrained by those several sentences in the statute to deal with patient privacy, the exercise of rights with respect to privacy, and use and disclosure authorized and required. Then the Secretary might go somewhat beyond based upon that statutory underpinning.
So as you see, there are two vehicles for some expansion, that is, the transactional area and the privacy rule base under the statute. But as you can tell by my hesitancy and qualification, I am not inclined to say that were I to be a zealous advocate in behalf of a client with respect to expanded authority, I could comfortably provide an opinion that any material or significant exercise of supposed authority to encompass substantial numbers of additional covered entities or substantial numbers of additional protections with respect to non-covered entities of the privacy of individuals. I am hesitant, and would likely have to conclude if pressed that I probably could not provide that opinion with respect to the enforceability of the Secretary's initiative.
Now, I say this from several perspectives. One, as indicated, from having represented many covered entities, many individuals and many in the middle, neither individuals whose privacy is addressed by the HIPAA statute and rules, or entities who are covered under the statute.
It would seem to me, now moving beyond whether the Secretary has the authority, as I have indicated, I think the Secretary is quite limited, and even if the Secretary would conclude some additional exercise of authority might be appropriate, let me give you a view, again not zealous for and in behalf of, but simply my own personal notion.
I believe the HIPAA privacy rule is extraordinarily complex. I believe those in health care who seek to implement the HIPAA privacy rule should be commended for a Herculean effort at understanding something that we as lawyers spend many, many hours, weeks and months, indeed years, trying to deal with. Parenthetically, some ask me because of all of my experience what I think of HIPAA and the privacy rule, and I sometimes say it is a living. But I am not pleased to say that, because fortunately after 40 years of practice and now with my own law firm and no need any longer to address the so-called billable hour that many in the legal profession are so committed to having to deal with, I can step back, since in my own office I can do whatever I like in terms of many requirements that I had to adhere to before, and I can tell you, it is not pleasant to have to assess a charge against a health care provider for trying to explain a complex, difficult and challenging portion of a HIPAA rule, even though -- and I must emphasize this, the Secretary of Health and Human Services and the staff working in the Office for Civil Rights, has provided a tremendous amount of information, samples, background, focus pieces, so much that we as attorneys who have to deal with HIPAA really are very fortunate beyond how many others are in the law in having an encyclopedia of HIPAA information.
But having said that, one still has to open it and in either an electronic manner or paper wise deal with it, understand it, apply it.
I think the other qualification I would add for the Secretary to want to go forward would be state law as a serious concern. I am admitted in five jurisdictions, and in each of those jurisdictions, Virginia, New York, the District of Columbia, Florida and the Commonwealth of Massachusetts, we have privacy laws that are different from each and all of the others, that are different from much of what is in federal law. I don't think that is helpful at this time to address the Secretary's concern that privacy should be protected for many more by many more, because I think the confusion that arises today insofar as issues of pre-emption or supervention will only be magnified if more entities are thought to be covered and more privacy protections are sought to be given.
The only other thing I would like to say from my somewhat prepared remarks -- of course, my remarks have only been prepared very recently because my invitation came very recently, and therefore this is more of an extemporaneous discussion than a fully researched presentation, but perhaps that is a strength. I hope it is not a weakness.
When I was thinking about my presentation this morning as I was coming up here from Virginia, I thought to myself, right of health care privacy, each being three very, very important words. Then I thought, wash your hands. I said to myself, we better be careful, because from my experience and reading over the years of many, many publications in health care and from personal knowledge, it may well be that more focus has to be given to wash your hands or cut this way, again, three magical words, than protect patients' privacy in a seeming exuberance, when the statute does indeed have constraints that have very effectively been addressed thus far by the Secretary, but perhaps shouldn't continue to be the subject of such effective implementation that those of us who must construe the rules based upon the law are challenged in giving opinions.
If I was to suggest where we should go as a society, what should be done, I believe in three things. I believe we should have one national supervening, overarching, effective regulatory system for the privacy of information, all kinds of information, health care information, banking information, business information. I believe the system that we have now, which fractionalizes and individualizes each of the areas of protection, is confusing, confused, inefficient, expensive and most of all, very difficult if not impossible for people to fathom, let alone deal with, as those who must in the health professions and business and otherwise implement these requirements.
This afternoon I am going to begin teaching a new course for me this term in health care administration. I have taught at several law schools, I taught lawyers. My law students always analyze the HIPAA privacy notices and look at the rules and start out very eager and end up very anxious when they realize how complex all of this is.
But my course this term at George Mason University College of Health and Human Services will be to health care administrators, medical informatics specialists, nurses and others. They actually have to implement the HIPAA rules.
I caution members of the committee and others having responsibility for providing advice to the Secretary. Let's be mindful of the fact that these well-meaning decent honorable individuals in health care administration, as well as all licensed to deliver health care, have overwhelming burdens, and to add to their burdens by going beyond where we already are without carefully thinking first whether we can, second whether we should, and third, whether if we did they could respond to what we did, is something that should be pondered over some substantial period of time.
I don't believe we should move faster than we can. I don't believe we have moved as fast as we should have, but we are here now. I believe the responsibility lies in your hands in giving your advice to make it clear to the Secretary that waiting and watching and learning might be a better course than moving ahead before all the views and all the perspectives and all the information that we should seek about a uniform approach is available to us.
Those are my remarks. I would be pleased to endeavor to respond to any questions.
DR. ROTHSTEIN: Thank you very much. It is very interesting. The committee is already on record as recommending to the Secretary that the privacy rule should be applicable to all who use health information. So we have kind of crossed that bridge, but what we haven't crossed is what we are going to do when we get to the other side, which is, how do you get there. Part of that is the Secretary's responsibility of joining us in advocating before Congress that a more comprehensive legislative solution is necessary.
DR. HOUSTON: I have one question. You said there were three things. I heard the one national regulatory system governing all privacy, but I didn't distill out the other two things. You said there were three other points you wanted to make, and I heard one of them. Either I missed the other two or -- so the first one was a national regulatory system governing the privacy of all information, was what you said. What were the other two, though?
MR. GOLDBERG: I'll give you several, and you can use them as two or three or one, as you may choose.
I would certainly encourage a singular system of protection of privacy, independent of the nature of the information. I would also encourage prudence being important here. Prudence tells me that being patient and taking time is a necessary ingredient.
Another critical part is simplification. We ought to always go back, as an attorney I try all the time to remind myself, go back to the statutory underpinning, administrative simplification subtitle. It is not administrative complexity subtitle. And it is a subtitle. It is not a big title. So we are talking about simplifying, at least in my mind making less complex what people in the health care delivery system in particular today are so challenged by.
Again, when my law students have to focus on these areas over a full term course, and by the end of the course when the papers are written and given back to me, and I am doing the reviews, and I see well-meaning, well intentioned, highly schooled, well trained intellectually, extraordinarily effective students not understanding some of the portions of the privacy rule, and then I think of a nurse or an aide or an administrative assistant or a technologist or a physician -- who not incidentally never takes a course in law in all the medical training that a physician receives, when I realize that all of those individuals are supposed to construe the privacy rule the way I do, again that is not a living I want to make.
DR. HOUSTON: Thank you.
MR. GOLDBERG: You're welcome.
DR. ROTHSTEIN: Any immediate questions for Mr. Goldberg? I want to thank you for giving us that background. That has been very helpful to us. This is a topic that we need to discuss further as a subcommittee to try to get some ideas about where it is that we are going. So thank you very much.
MR. GOLDBERG: My pleasure. Thank you for inviting me.
Agenda Item: Public Statements
DR. ROTHSTEIN: There are various issues that we need to discuss. The first thing that I want to do is check to see if there are public statements. So we are opening the public comment period a little ahead of schedule.
MR. RODE: Dan Rode, American Health Information and Management Association. I just wanted to clarify some testimony from this morning. In Bill Yasnoff's testimony on the Health Record Banks Association, while we have attended Bill's meetings, we are not in any way a direct supporter of the Association and its goals and objectives at this point. We think it is an interesting model. We think it bears watching, and we have to see how it goes, but we have not signed on to be a full-fledged member of the Association as Bill indicated in his testimony.
DR. ROTHSTEIN: Thank you for clarifying that. I'm sure Bill will be interested to get further clarification. Are there other public comments?
Let me see if I can go over for the members of the subcommittee -- please.
DR. FRANCIS: The audio stream has quit functioning.
(Remarks off the record regarding technical difficulties.)
DR. ROTHSTEIN: Let me go over the list of issues that we need to address as a subcommittee this afternoon, so that everyone follows what we still have left to do.
We need to discuss the annual HIPAA report. There is a privacy section in it, and we all agreed to take a look at it and send suggestions in that Maya has compiled. We are going to consider what the privacy language should look like. So that is one issue.
DR. BERNSTEIN: I haven't actually compiled them yet, but we have collected them. If we are going to do some line changes we haven't loaded up on the machine, I can sit over there if you want to do that next.
DR. ROTHSTEIN: I'm going to go through the list, and that will be the first.
The second thing we have to do is talk about what we plan to do next with regard to the issues that we have already heard about. In other words, it seems to me that we have heard among the following topics at our last three hearings, that is, September, November and today, about the extension of coverage to the entities in the commercial and financial industry, the overlap and gaps in schools, coverage to other non-covered entities such as life insurers and employers in their roles as employers as opposed to health plan sponsors. So we need to decide what we want to do to follow up on that, as well as the health care providers that we heard from today.
We also need to consider whether we want to do any additional followup on the research strategies topic. Remember, we heard at our last hearing in November if we were to design a research system to measure whether the privacy rule had any effects, what would that look like, so we need to talk about that.
We need to talk about what additional issues we might want to consider next. I have got some ideas, and I know other members of the subcommittee have ideas about where we ought to go next.
We also need to discuss timing, if we are going to send letters with regard to one or more of these issues, when are we going to have our next meetings, what are we going to shoot for in terms of our timetable, when are we going to schedule our next hearings.
So those I think are the four issues -- maybe I have left something out -- that we need to discuss this afternoon.
DR. HOUSTON: The first three things you described, is that one issue? You said extension of coverage, commercial and financial, overlap with schools and others, and non-covered entities such as insurance and others.
DR. ROTHSTEIN: Yes, that is all one issue. It is a fleshing out of the recommendation from June, that the same rules ought to apply without regard to whether the entity is within one of the three covered entities things. Those are explanations that we talked about. In other words, Gramm Leach Bliley, FERPA and so forth are all underneath that one, and that is the extension. Then we have the research strategy issue that we heard about.
(Remarks off the record regarding technical difficulties.)
MR. REYNOLDS: Two ways to build something, from the individual issues we have, or to step back and say at the end of '07, where would we want to be, what would we want to have done to consider a move forward. We did the whole letter, and now we are going through the pieces.
So it is just a question. What do we want to have contributed this year through these hearings rather than just subjects that would get us at the end of the year to something that would say, yes, that made a difference?
DR. ROTHSTEIN: Harry, I would say that that is a very good point. There are different ways which we could go. One way would be to go into different aspects of the letter, instead of doing recommendation 12, let's take a look at recommendation 20.
Another way is to say, we have got this out there, and let's just put this aside for a minute, and that is not the sum total of all the issues that we need to be worried about, and let's move to other things. The other things could be either at a very narrow level, it could be how do we recommend tweaking the privacy rule, it could be broader privacy issues in the abstract. There are lots of different ways to go.
I think your point is a good one. This is probably a very appropriate time to try to figure out where we want to go.
DR. HOUSTON: I absolutely agree with Harry. I think it is a great observation. I really think that the first subject that you listed out is one that I continue to hear. It is a recurring theme in a variety of forums.
DR. ROTHSTEIN: Which was that?
DR. HOUSTON: It is this whole issue of coverage of HIPAA and the overlap with FERPA in the non-covered entities. I have heard in a variety of forums that this continues to be an issue of great concern. I think that it is timely, and I think there is great value in trying to come up with some recommendations on that subject.
It is going to be something that is going to need to get in process sooner rather than later, simply because of the fact that it will take some time for it to be resolved. But I think people need to have somebody step up and say, this is the recommendation of how we deal with this. This is what we think needs to be done, because if we see NHIN coming, and I think NHIN is really going to magnify the issues that you laid out earlier, I think it will absolutely magnify the issues unless there is a resolution on it.
So I think to bring this all together then, my comment is that I think there is compelling value in us trying to address this issue now and try to get it knocked out quickly.
DR. ROTHSTEIN: I have a question. Are you just saying -- I just want to understand the scope of what you are recommending. Are you recommending that we deal with the FERPA issue, the FERPA-HIPAA issue, or something broader?
DR. HOUSTON: I think it is broader. The first three things you articulated all fell under number one.
DR. ROTHSTEIN: Right.
DR. HOUSTON: FERPA, the non-covered entities, the exclusion of coverage of commercial and financial. All of those things tie together.
I think all these -- if you want to call them non-coverage or overlap, all that is going to be magnified simply because of the fact that when the NHIN forms, there is going to be a lot of entities that are either going to want to participate or get data, or there is going to be more tension about the rights to data because of the much broader access and availability.
In all those subjects, it is going to be one for which there is going to be a lot of effort and time between when you make recommendations and when we are going to get some clarity on it. It may take legislative action, it might take other things, I don't know, but I think we need to make a recommendation sooner rather than later.
DR. FRANCIS: I like the way the last speaker brought out that interrelationship between the questions that you outlined first, Mark, and NHIN. It seems to me that what we should be doing is thinking about the issues on both of those fronts, so that we make a list of the non-covered entities questions and which ones we think are most pressing, most practical and most problematic from the question of interface with the NHIN.
On the other side, we keep our eye on the question of whether there are privacy recommendations that need to be brought forward in light of what is going on with respect to electronic health records.
DR. ROTHSTEIN: I thank you for that. Let me add my response to John's comment. I think we all share the view that there are so many entities that deal with sensitive health information that are not subject to the privacy rule. Not only did we say in June that they ought to be subject to some sort of regulation, but we wanted to get a better sense of what was involved and what it would mean to them, and whether it would be burdensome and whether there were overlaps and so forth.
Personally, I think we may be reaching the point of diminishing returns by continuing to explore this. We have gone into many of these areas. I think it is safe to say that there are thousands of providers in dozens of different categories that are not covered, and if we wanted to go into detail, I suppose we could do that. We could encourage the Secretary, and maybe even fund from our funds -- now that Marjorie has left the table, I can say this -- hiring a contractor to estimate the number of non-covered entities in each of these different categories.
I'm not sure that at this point, having already gotten that principle on the record, it makes great sense for us to continue pursuing that, except for one area. The one area that -- if I had to pick one that I would say is really messed up at the moment, that might be amenable to some degree of change or clarification or guidance without amendment of the statute, that is the FERPA issue.
I think the testimony that we heard was so compelling from the school nurses and all these people. They can't get records that are very important to the health of the children. They can't share information with public health agencies that is very important. We heard another aspect of that from the Athletic Trainers Association today.
Personally, if we wanted to pick an issue to go into more depth, I would say FERPA. It is not that I am not concerned about the others.
DR. HOUSTON: I'm not advocating that we take more testimony. What I am advocating with my earlier comment was that we take those issues and we make recommendations. I think what we need to do is get to deliberation on actually making some recommendations.
By the way, I think we probably have heard enough about FERPA to know that there is an issue, and I don't even know if we need to get more testimony on that. I think there is already a lot of compelling arguments. All I'm saying is, I think we need to translate what we have heard on these subjects into a recommendation. I think it is going to be a fairly lengthy recommendation, but I think it is one that is timely. I think if we start on it now and try to get it done by the end of summer, I suspect it is going to probably take that long to do what we need to do.
DR. ROTHSTEIN: Would it be your recommendation that we bundle them all together?
DR. HOUSTON: Yes, that is my recommendation. When you unbundle them, what was the last -- Alan Goldberg -- even if we stay with health care and try to bundle those issues together to keep a health care focus, if you unbundle them you are going to have a lot more fragmentation that is going to lead to as many questions. So I think you have to almost pull them together in some cohesive fashion. But the focus will always be -- the domain will be health care. Even though we are going to be talking about potentially FERPA and GLBH and stuff like that, the focus is health care and health care data.
His recommendation was that we should have a comprehensive privacy law for everything. I wouldn't do that far, but I think we need to comprehensively deal with privacy within the health care domain.
MR. REYNOLDS: I would add one another remark. The reason I see what we are talking about here more important than it has ever been is that in my day job, I don't think two hours go by where there is not something in the e-mail or a new call or a new meeting where somebody is trying to do something in this space. A lot of them are not covered entities.
I would say to you clearly that the implementations are going ahead without guidance. The implementations are going full speed outside of the realm of what HIPAA was set up to be. I am telling you, people are grouping up in different and strange ways. People are offering services that are not even covered entities, and are offering these kind of services that have this information.
I would just say that the implementations are not waiting for a definition of what the next step should be. They are going full speed. Everybody uses the NHIN. That is not here yet, but there are plenty of PHINs, personal health information networks, RIOs. I spend of time talking to Jeff from the Standards Committee, Jeff Blair. His fulltime job now is building these things.
DR. HOUSTON: But you know something, Harry? They are becoming the surrogate for the NHIN.
MR. REYNOLDS: They are what?
DR. HOUSTON: They are becoming the surrogate for the NHIN.
MR. REYNOLDS: I agree. So what I am saying is that maybe two years ago if we were sitting here, everybody was talking about doing stuff. There is an industry out there that is wide open, putting stuff in place. I think at some point privacy has got to catch up, or this discussion has got to catch up with it, because once it is implemented, undoing it and getting everybody to go back and change it to come back to where we would like everybody to be is not something that works well in this world.
DR. TANG: I just want to round out, just in case Harry didn't make it clear, I am just scared of witnessing as many egregious violations. It is a changed world just in the past one year or two years. There are vendors that are obligating covered entities to do things that they are not allowed to do.
DR. ROTHSTEIN: There are vendors obligating covered entities to do things that they are not allowed to do, is that correct?
DR. TANG: Correct.
DR. ROTHSTEIN: I think it supports Harry's view that there is sort of like a wild west out there.
Here is my concern. I know the members of the subcommittee realize that I am a very strong advocate of extending the coverage of privacy laws to all entities who have this. My concern is that doing that basically is a two-step process, from us to effectuate. We have got to make a recommendation to the Secretary, and then the Secretary has got to go forward and take that to Congress and have something happen there.
We have already made this general recommendation. So my concern is, maybe our time would be better spent on concentrating on issues that the Secretary could implement without having to go to Congress, because we have already said we think Congress ought to do this.
So there are a limited number of hours that the committee can meet and a limited number of topics that we can do work on. If I were king, I feel passionately about this, this would be one of my first edicts. But it takes a long way to get from our discussion to implementation and it can get sidetracked very easily by all sorts of things along the way over which we have no control.
So that is my only hesitation. If we took John's suggestion and came up with a detailed, more comprehensive in-depth followup of our earlier recommendation, I am afraid that we would be debating that for a long time in subcommittee to get the language just right and so forth, and then the full committee, and then it goes to the Secretary, and God knows what happens to it after it reaches the Secretary's desk, and maybe we have spent all this time and having nothing to show for it.
DR. HOUSTON: In my mind though, this is something that desperately needs to be done. I think we need to do it. Somebody needs to do it. Somebody needs to step up, in my mind.
DR. ROTHSTEIN: Somebody needs to step up and say what?
DR. HOUSTON: How do we resolve all of the issues with everything from covered to non-covered entities, how are we going to deal with data flow, whether they be these large private organizations managing data or outside the purview of HIPAA to how are we going to deal with the NHIN and the fact that you are going to have entities that are going to want access or contribute data that are not HIPAA covered entities. How are you going to deal with the interplay of FERPA and HIPAA in the same context of this more global sharing of data. I just think this is a big ugly mess that is going to get worse.
DR. FRANCIS: In the context of thinking about the sorts of issues that John was just outlining, why isn't it possible to both look at which of the issues seem to us to be most important in terms of need and most track for us? That is what we want to look at first, that we can do it through recommendations to the Secretary rather than through statutory.
It seems to me that the question of what kind of change would be required is something that of course we ought to be looking at, and something that doesn't require Congressional change is important for us to concentrate on. But if something is really important and does, we need to say that.
(Remarks off the record regarding technical difficulties.)
DR. COHN: I am a little embarrassed, because I could only about 20 percent hear Leslie. I'm not sure what I am saying is completely what you said or completely separate.
I am listening to the various issues that we are describing, and I am a little perplexed that John is sticking them all on top of one another, just because it feels to me like we are dealing with separate issues which may be important, but trying to deal with FERPA on top of non-covered entities such as we have had testimony on today feels me to like very different things with very different solution sets.
That is not to say they aren't important. I am in my own view thinking that we have done a fair amount of work on FERPA on letters previously. If you look back at our letters, there have been a number of letters that have related to FERPA. We may need to go back and look at that. Maybe it is time, given that there is other work going on, looking at research and all of that, that maybe that is something that should be in a direct letter as opposed to more deliberation.
DR. HOUSTON: The only tie I see to FERPA in this case is that it seems like some of these individuals for which FERPA applies are non-covered entities under HIPAA, or there is some question about that. So when we are dealing with groups that are non-covered entities for which there is another regulation that may apply to them in some way, which may also govern privacy or management of health. So that is the tie.
DR. COHN: And maybe what we are talking about is coordination. I guess I contrast that with the other piece we were hearing today, which had to do with really non-covered entities. It is unclear exactly what the coverage is of new entities in the environment.
The part that I heard, which I thought was new today -- and once again, I don't have a lot of legal background, --
DR. HOUSTON: But you are a doctor.
DR. COHN: I am a doctor, exactly. This is something we talked about when we talked about personal health records, this issue about whether or not business associate agreements would suffice in terms of coverage for those entities.
From my view, if indeed that handles the problem, fine. If it isn't, we need to bring that fact to peoples' attention, because I think there is an assumption going on that that is going to solve the problem.
DR. ROTHSTEIN: Simon, I believe that in our June letter we specifically said that the business associate language in the current privacy rule was inadequate to address these issues, and that is why we had recommendation 12. I think there is language there that I could cite to you.
DR. COHN: Mark, I think that a one paragraph or in this case a two or three sentence piece -- once again, I don't have that letter in front of me, but --
DR. ROTHSTEIN: I do.
DR. COHN: Okay, you have that letter in front of you. Maybe I should take a look at it. I don't remember a lot of the background of why --
DR. ROTHSTEIN: See, you're not a lawyer, but I am.
DR. COHN: And you come a lot more prepared than I do. Was there an extensive discussion of why it was not sufficient? Or was it more a conclusionary statement of why it was not sufficient? You are hearing how I tend to think about HIPAA, but I can certainly withdraw my comments and let things proceed.
MR. REYNOLDS: One quick comment is, a lot of people that are in the space now that are implementing are not business associates of anyone that is a covered entity. That is the other piece that is coming to the forefront. Some of these people that are offering personal health records aren't everybody defined in the HIPAA law.
For example, you could take the not-for-profit that was discussed this morning. If those companies only give money to that group and do not consider them a business associate, which they probably would not, then that group that has all that information is nowhere. They are zero. There is nothing going in the world for them.
So that is this paradigm, where the keepers of the information are far more important than what is actually occurring. DR. BERNSTEIN: We just promoted David Holzmann, in case you don't know him, from the Office for Civil Rights. Christina Hyde had to leave. A little changing of the guard there, so that since we are discussing HIPAA stuff, we have a HIPAA expert with us.
What I was going to say about the authority issue is Leslie's point about trying to pick the low-hanging fruit where we don't need legislative change, is that determining whether or not we need legislative change is a very big task. Notwithstanding the previous non-panel panel, or whatever we were attempting to start thinking about what authority the Secretary has, it is not clear what authority the Secretary has. Unless you want me to go off and have a new job figuring that out, to the detriment of serving this committee and the other things I have to do, I don't think we can probably answer that question in the subcommittee. But I think that the subcommittee should nevertheless feel free to make whatever recommendations you believe are appropriate.
Truly, if the Secretary wants to take up those recommendations and decides to do so, we will determine with counsel whether he has the authority. If he decides that he wants to do it and he has the authority, he will go right ahead. If he decides that he wants to do it and does not have the authority, he will seek legislative change to get the authority if he is motivated to make the changes that the subcommittee is recommending.
In the case where the Secretary does not want to take up the recommendation, no amount of authority is going to make him do it, really. That is a political decision that -- by your powers of persuasion you can suggest all the reasoning why the Secretary might want to take up a particular recommendation, and I think this subcommittee has historically had great powers of persuasion to do that.
But if we were to wait to figure out which areas -- unless it is obvious; we know that the Secretary is not the Department that has the responsibility for FERPA. That is the Department of Education. But the rule or the statute, one of them, says that anything covered by FERPA is not covered by HIPAA, so there is a wall there, as was mentioned in earlier testimony.
The Secretary could for example decide to cover those entities by HIPAA, but would not be able to relieve those entities of being covered by FERPA without working with the Department of Education seeking legislative change and so forth.
So I guess I would recommend not getting caught up in which authorities we have particularly, but to focus more on what you think the right result is for the country, for the NHIN, for those particular topic areas that you think you well understand and are ready to make recommendations. Then we can move on from there.
I think the Department as I said will respond. Maybe Marjorie has some thoughts on this, but the Department will respond by making political decisions, as it does, and in the case of authority will go ahead, and in the case of non-authority will either seek the authority or not.
DR. ROTHSTEIN: Unlike many of our debates in the subcommittee, the thing that is unusual about our discussion today is that substantively I think we all agree. The issue is tactics, and how we best use our limited resources. So I think that is where there is a difference of opinion.
DR. BERNSTEIN: I do think it is a very complex problem. We could make it easy by saying anyone who has medical information should be covered by some rule, or as someone said earlier, the protection should follow the data itself. Even if we were to decide, the subcommittee were to decide, that everything should be covered that is medical information, the question is still how would you do it. Would you do it by provider, would you do it by tagging it to the information itself, would you do it by the use? There are lots of different ways even to do that. I am guessing that you are going to get more granularity than that.
DR. ROTHSTEIN: Marjorie, please help us.
DR. GREENBERG: Well, when you put it that way. I agree with everyone. I am just thinking that you have had a number of -- you have the letter from June, you have a number of very interesting hearings. I think if you could take away one thing, it is probably that ignorance is not bliss, because groups we wouldn't even think about, as Harry as pointed out to us -- and well-meaning groups; we haven't heard from those with nefarious purposes.
I think the bottom line is that as Harry mentioned, and as several people we heard today, maybe we raised their consciousness, maybe the general environment has raised their consciousness, but a lot of people are thinking about, maybe they need policies, who currently aren't covered and don't have policies. The train has left the station, to be trite.
So it seems to me that there could be real value in the committee sending a letter to the Secretary which would also go to the Data Council and probably get to AHIC, et cetera, with the findings, or identifying these issues without yet having solutions. Possibly if you feel you could in a reasonable period of time mention some alternatives and some pros and cons, some of the problems you have heard with HIPAA, but those are really more findings than recommendations.
I think that it might educate folks who are very focused. We were talking about, there is a lot of focus on secondary uses of data, but there are all these primary uses of data that aren't necessarily covered that do relate directly to treatment and maybe possibly payment in health care operations.
It was mentioned in your letter, but there was so much in that letter that I don't know that it is necessarily what people focused on. Probably they didn't, because there were some other things that were maybe more controversial or expanded more.
So I think sooner rather than later, at least a letter with the findings with the hearings you have had since September, would be a good idea.
DR. ROTHSTEIN: So let me see if I understand what you are suggesting. We send in as short a time period as possible a letter to the Secretary that says, in June of 2006 we recommended the following. We have had three rounds of hearings since then to get a better sense of the magnitude of the problem, and here are some of the things we have heard. What we have heard basically reinforces our earlier view that this is a very significant problem, and that there are lots of classes of health care providers who are not covered entities under HIPAA.
DR. GREENBERG: Not only that, but that there is a lot of confusion, and a lot of people are looking for guidance, and everyone is doing their own thing in the absence of guidance.
It is hard for me to remember what happened yesterday, but what I heard in the hearings in September, I do know you have got two large groups. You have got the ones that aren't covered by anything except maybe a business associate arrangement, if that were to be executed. But then you have got those who are covered by fairly substantial legislation, like the banking one and the FERPA. But there are these areas of confusion and overlap and redundancy and maybe gaps, so it seems to me that you address one one way and one the other when there is nothing, and when there is a lot it is not compatible, or it is overlapping.
Maybe this is just self evident, but I think you have gathered a lot of information. I would agree, I don't think it is necessary to gather more information on the problems, on the findings. I agree with Maya. I don't know the extent to which, without going into a great deal of detail in a particular area, you can come up quickly with the solutions, either. That doesn't mean you couldn't build towards recommendations maybe in the FERPA-HIPAA area, where you could bring in a workshop or something where you tried to bring in the experts and try to work that through.
It just seems to me there could be some value in expanding on what was a statement in the June letter based on the last three hearings.
DR. ROTHSTEIN: Thank you. John?
DR. HOUSTON: Two points to follow up on what Marjorie just said. The first being, I think we could without being too prescriptive give some recommendations or some thoughts on what we think some of the solutions could be, not getting into a lot of details; principles, that is a good way to characterize it.
Second, this is a word to Marjorie, or a question to her. Is it appropriate to go back to the Secretary and ask whether he would like us to further refine our recommendations or like us to take more testimony on any particular subject? Is that something that we do?
DR. GREENBERG: Not so much, but there are a lot of groups out there. Now AHIC has a privacy and confidentiality group. The HITSP has now established a privacy and confidentiality group.
I think we need a strategy for how this is going to be resolved, how we think the Secretary or the Department could exercise national leadership in this area because we think it is needed for all the reasons that we heard the last three hearings.
Those two groups were established after the June letter. I don't think everyone should be trying to solve the same problem at the same time. Some people are on all these groups, or have representatives on all these groups. Maybe some guidance from the Secretary as to where should this be pursued, not what you said, but some feedback.
DR. HOUSTON: Can I follow up specifically on that point? I apologize, but it is meaningful. I know right now that on the AHIC CPS work group, they are trying to figure out what they want to do next. They have just given a recommendation on identity proofing, and I think they want to get a sense on what the priorities are. So I think it is meaningful.
It might be helpful to try to take the chairs of that group and maybe do a little planning, whether it be with Marjorie or with this whole subcommittee, to try to get a sense on how we want to try to divide and conquer. Same thing with HITSBE. Maybe there needs to be some joint planning to try to coordinate the group's activities, because two or three are trying to figure out what they need to do next.
DR. TANG: I was going to make a comment that maybe we need a harmonization group for all these privacy and security and confidentiality subcommittees, but I think that is what John just said.
DR. GREENBERG: We need a what?
DR. TANG: Either a reconciliation or harmonization process with all these privacy and confidentiality groups.
DR. ROTHSTEIN: That is I think a point with which virtually nobody would disagree, except I am going to raise the question of whether it is the role of NCVHS to do that. I would defer to Simon and Marjorie and others.
It seems to me that our role is to be a liaison to the Secretary from the public, we are the public advisory committee, and to make recommendations about health information policy. It is not to reorganize the Secretary's staff and to direct how things should work.
DR. COHN: I wanted just to respond to the need for a coordination subcommittee of the Privacy and Confidentiality Subcommittee.
I think we are all aware that there is a lot of focus and energy in a variety of these areas, not just privacy and confidentiality, but throughout all of health information technology policy areas. I think there has been a renewed and accelerated level of commitment within HHS to assure that there is adequate coordination that occurs. A piece of coordination is subcommittees and work groups and all of this deciding on what their priorities are, as well as what they think potentially should be recommended to other bodies to work on further. I think it is part of NCVHS leadership and staff to work with those other bodies to make sure there isn't redundancy occurring, which I think is our concern as much as who does what.
Marjorie, do you want to comment?
DR. HOUSTON: I don't think it has to be all that formal. I think there is a great value, as everybody is trying to understand what the priorities are, to spending a little bit of time, maybe an informal conference call, I don't know, I'm just saying, I am on two of those committees, and I see right now that they are trying to figure out what their agendas and their priorities are. I think there is value to talking about who wants to do what and how we want to try to get it all done.
MS. WATTENBERG: But in part, that is because -- the AHIC privacy and confidentiality committee as opposed to the security subcommittee is supposed to be identifying their topics according to what the other AHIC committees feel they need advisement on to pursue their breakthroughs. So it is a different --
DR. HOUSTON: I understand your point, I agree with that. My only point is, if they were already going to focus on a specific topic and we were eying it ourselves, then you say we don't need to worry about that. That is my only point. I agree that different constituent groups are trying to direct their efforts.
MS. WATTENBERG: But again, I think we solicit testimony in these two different groups for different purposes. I know that the AHIC groups are cognizant of what we have taken testimony on here at NCVHS. I think we even raised the issue on one of them to coordinate some testimony with one of the upcoming NCVHS meetings.
So I wonder if it isn't maybe more practical to charge some of the HHS people with more concrete liaison functions.
DR. ROTHSTEIN: Let me just mention that next week, the GAO report evaluating the coordination of the privacy activities of HHS will be released. There are also Senate hearings on the issue of HHS' role in promoting health information privacy.
I just think that it is above our grade level to take on those issues. I think we would be better served by taking on more concrete things. That is not to say that I don't support Marjorie's suggestion of sending a findings letter reiterating our earlier recommendation from June, updating it with more data that we have found about the number of uncovered entities and making that suggestion again. Although I would say that my recommendation would be that if we did that, we ought to do a separate FERPA letter, because it is a separate issue.
MR. REYNOLDS: I made a number of talks recently going back and reviewing the privacy letter, because I still think it is one of the best documents on the whole picture. But every time you go back and look at it, you realize how far reaching it is and how many subjects are in there.
So I think what we are saying today is that there are a couple, FERPA would be one, and this whole idea of who is covered, aligned with the fact that the industry has exploded in this space in the last 12 months, exploded. So what we are basically saying is, we gave you the whole picture, but oh by the way, there are two things that need to get looked at pretty quickly, because if they don't, it is gone. Things are going to happen, and those things that are going to happen may create a new environment. I think that is what we are saying.
I have gone through that letter four or five times recently, and if you look at it overall, having been a part of it, it is overwhelming if I sit there and look at all of it. But I think now is the time to take pieces of it that we think really make a difference, and go at them again with a subsequent letter, go at them again with another set of recommendations on the things we have heard, to go at it deeper. I think that is what I am saying.
Again, I am not derailing what we are doing overall, but I think those things will make the biggest difference in the next 12 months.
DR. ROTHSTEIN: Did you have any areas in particular?
MR. REYNOLDS: I think FERPA is a great example, and I think this whole idea of who is covered. I love the idea that somebody said that the ownership goes along with the data. I'm not sure how that works or what Maya said, but those are the kind of things that I think are more important. If we can't get legislation, people are putting things out every month. They are implementing the heck out of the stuff. If you talk to Jeff, they are building fast. These things are already in place that are doing things. Every month that goes by, privacy regulations in the real world are getting implemented, by individual people who are designing systems and designing networks, and consequently in doing so they are establishing what business is going to do. That is the scariest part of the deal to me.
DR. BERNSTEIN: Can I interrupt for just a moment?
DR. ROTHSTEIN: Please.
DR. BERNSTEIN: It is almost 3 o'clock. We need to do two things. We need to take a break at some point, and we need to work on the HIPAA report, which we have on the agenda to discuss. We moved it off for this discussion, which I think was very valuable. I just want to make sure you know we need to set aside some time for that. I understand there are some committee members that need to leave early. So I just want to make you aware of the agenda.
DR. ROTHSTEIN: Thank you.
DR. TANG: Back on that comment, I wonder if one of the ways -- by the way, I really would like to combine Harry's idea with Marjorie's, which is, we have learned new things and it is more important. The sense of urgency is not to restate what we stated before, but that it threatens to undermine the goals and objectives that HCFA has for interoperable data and the NHIN. Maybe that might not have been stated as clearly or urgently.
The other point in terms of the agenda, perhaps we should include in our HIPAA report, since it includes privacy, that we have uncovered this issue of other entities that now have access to personally identifiable health information which are not covered by HIPAA, and we feel there is a new sense of need in order to explore the implications of that, and a sense of urgency in terms of getting policies in place.
DR. FRANCIS: Just an addendum to that, too. As a neophyte, I am struck by the extent to which there may be information that the committee already has that a failure to pay attention to some of the data sharing issues and privacy protection related to that affects patient safety pretty directly.
DR. ROTHSTEIN: I lost you.
DR. FRANCIS: What I was saying is, I know that a major political concern, obviously not the committee's, but some of the issues are data sharing has consequences for peoples' health. That might also affect the urgency when what the committee has learned gets brought into that. It may be something also we might want to highlight.
DR. BERNSTEIN: Do you want to give an example, Leslie?
DR. ROTHSTEIN: Well, people not seeking care because they are afraid of the record.
DR. FRANCIS: Or information not getting transferred and when information doesn't get transferred, it might be information that is really needed for safety reasons.
DR. ROTHSTEIN: I am going to propose that we take a ten-minute break, resume at 3:10 Eastern time, and then try to reach closure on this issue of where we are going and what letters and what we are going to do, and then talk about some other issues. We still have to talk about the HIPAA report. We have to talk about planning future meetings and so forth.
So we are going to take a ten-minute break. Thank you.
(Brief recess.)
Agenda Item: Committee Proposal
DR. ROTHSTEIN: Are we now back on broadcast? The first thing I would like to do is to propose for a vote of the subcommittee members some sort of action plan for going forward to resolve the issues that we just finished discussing before the break, and that were discussed during the break informally.
That is the following proposal that I would like to put forward. In time for the full June meeting of the NCVHS, that the subcommittee prepare two letters, one to deal with the jurisdictional issue and the covered entities issue that we have talked about, and the fact that so many health care providers as we have heard today are not covered entities and so forth, as more of an informational followup to our June '06 letter, saying that we have had hearings and here is what we found, and so on and so forth. That would be one activity.
A second activity would be a separate letter that we will also have prepared for our June meeting, discussing the specific issue of FERPA-HIPAA overlaps, gaps and problem areas that need to be resolved. Now, saying that does not foreclose additional items which we will take up in due course.
DR. HOUSTON: Only one comment that goes to the very last thing you said. We did talk about one topic, research affected the privacy rule. Do we want to make that a third letter, or are we not to the point where we want to do that?
DR. BERNSTEIN: I'm sorry, which piece of the privacy rule?
DR. HOUSTON: The research on the effect of the privacy rule.
DR. ROTHSTEIN: With your consent, I would like to put that on the back burner for a few minutes and not have that part of the motion.
DR. HOUSTON: Sure, okay.
DR. ROTHSTEIN: Because there are other things as well that we haven't discussed. I just wanted to bring some degree of closure to our earlier discussion before we move to the HIPAA letter to Congress.
I know I have buttonholed the committee members who are here at NCVHS. I want to give Leslie and Paul a chance to comment on that proposal.
DR. TANG: Can you state that one more time?
DR. ROTHSTEIN: Paul, I think you said okay, is that right? Oh, you need me to state it one more time. I'll say this again.
For the June meeting of the full committee, we are going to commit if we agree to prepare two letters. One would deal with the jurisdictional issue and the covered entities issue. It would talk about the things that we have heard today at the hearing as well as from the September and November hearings, emphasizing that we continue to support the position that we said in June of '06 for a broader coverage and emphasize that we have additional findings in that regard, and share that with them, especially the sort of stuff we talked about today.
The second letter would specifically address the issue of HIPAA and FERPA and schools, and the health information that can and can't get to and from schools about children.
DR. TANG: So that letter would be going on to the Secretary, and the draft is to be presented at the June meeting, is that what you are saying?
DR. ROTHSTEIN: Yes, that is what I am saying.
DR. TANG: Okay.
DR. FRANCIS: I think that is perfect.
DR. ROTHSTEIN: Thank you.
DR. HOUSTON: I second the motion.
DR. ROTHSTEIN: John seconds the motion, even though I am not supposed to make the motion, is that right?
DR. HOUSTON: I make the motion to what he just said.
MR. REYNOLDS: I'll second.
DR. ROTHSTEIN: And Harry seconds. All in favor, say Aye.
(Chorus of Aye.)
Agenda Item: Discussion of Annual HIPAA Report
DR. ROTHSTEIN: It carries. Thank you. Let's if we may move to the annual HIPAA report language. Then after that, because we really need to get this done, we will come back to the issues that were reserved, such as the research strategies issues and hearing dates and other issues that we want to take up during '07. Are we ready for that, Maya?
DR. BERNSTEIN: I'm ready.
DR. ROTHSTEIN: It may be hard for the folks on the phone. Just close your eyes and imagine, and we will try to tell you what we are doing.
DR. BERNSTEIN: You have a copy that Debby Jackson sent you of the electronic version of the HIPAA report.
DR. FRANCIS: If you give me page numbers, I will know where to go.
DR. BERNSTEIN: They will be close. I made some corrections already. I have been sitting here putting in the corrections that Harry gave me over the phone a couple of weeks ago, so we might have moved by half a page or so. I hope Gail and Paul also have copies of it.
DR. FRANCIS: I have it. I am going to bring it up now.
DR. TANG: Same here.
DR. BERNSTEIN: What I just want to do is collect the comments of the committee if there are any on the report. I have the document in front of me, and if there are comments that the subcommittee wants to make, there are changes that you want to add, I am ready to take them. Otherwise, I have nothing to say.
DR. ROTHSTEIN: Can we move to the section on privacy and confidentiality beginning on page 21, which is really what we have been asked to address.
DR. BERNSTEIN: Yes. Just so you know, there are comments from the subcommittee on other parts of this.
DR. ROTHSTEIN: Okay, but I don't think we have got the time to take them up. The full committee will take them up, right, Simon?
DR. COHN: Yes.
DR. HOUSTON: I had a question at the last committee meeting, where we talked about the fact that the summary is two pages shorter than the whole --
DR. COHN: For the record, I was making handwritten modifications. I think what we have seen for this report is A, that the actual cover letter may be made a little bit longer to include some of the key pieces from the document, and that the document itself will be a report with necessary appendices at the back on things that are properly appropriate on that.
DR. BERNSTEIN: Jim Scanlon has the control over this.
DR. COHN: I'll talk to him about that.
DR. BERNSTEIN: He was at the last meeting. I think that comment was made there, and it is in the process of being redone, but we were waiting for comments from the committee before making that change.
DR. COHN: Absolutely. John was making the comment again.
DR. BERNSTEIN: The section Mark is referring to is at the bottom of page six, and there is another parallel section that looks quite similar to it, which is at the bottom of page 21. In fact, they might be just the same.
DR. ROTHSTEIN: Six is the executive summary which is the same as the -- so either one. Can you go through what the suggestions were?
DR. BERNSTEIN: I don't have suggestions on this section from people. Wait, that's not true. Harry made a comment on the second paragraph, which is that we talk about the use of information by non-health care entities. His comment if I am characterizing it correctly was that we need to say something about the inadequacy of the term covered entity. When we go to the NHIN, this term is going to be inadequate. There are gaps in coverage. The advent of the NHIN is going to put stress on this original definition because more entities are involved than were originally considered when we were talking about administrative transactions. That is one of the issues we were talking about today.
DR. ROTHSTEIN: Absolutely essential. I think the world was split into health care entities and non-health care entities at a time when somebody thought that made sense. But that is not the way the world is split now.
MR. REYNOLDS: The other thing is, this was based on administrative transactions. This whole NHIN goes outside that normal realm of administrative transactions.
DR. BERNSTEIN: So I am taking suggestions as to how you want to rework this paragraph.
DR. ROTHSTEIN: I think it probably is not a good use of our time to word by word this, especially given the stage at which the overall letter is. What I would like to suggest is that we agree in principle on changes that we would like to see, and then have Maya take the lead in putting together language that reflects our views and then bring that to the full committee.
I would like to see basically the subcommittee authorize that procedure. In other words, have the staff summary attempt to reflect our views, and then without having to go back to the subcommittee go on to the full committee. Would that be okay?
DR. GREENBERG: The summary or a revision of the document?
DR. ROTHSTEIN: I'm sorry, a revision of the document that is based on our agreement.
DR. BERNSTEIN: I will take the notes and put them here, and then we will go back and wordsmith something that will meet with our approval.
DR. ROTHSTEIN: Is that okay with you, Leslie and Paul?
DR. FRANCIS: Yes.
DR. ROTHSTEIN: Hearing no objection, that is what we are going to do. Let's make sure we are all in agreement with Harry's first suggestion. It is his recommendation, and I support it. Does anybody have any dissent?
DR. HOUSTON: Would you repeat it one more time?
DR. ROTHSTEIN: Harry, can you repeat that suggestion?
MR. REYNOLDS: I'm not necessarily interested in the wording.
DR. ROTHSTEIN: Not the word, but just the idea.
MR. REYNOLDS: The point is, the covered entity is inefficient and insufficient in the NHIN world.
DR. ROTHSTEIN: It is an archaic concept that is based on assumptions in a totally different world.
DR. HOUSTON: Are we going on to other recommendations?
DR. ROTHSTEIN: We are going to try to get them in order, unless yours flows from that. Is the recommendation you want to make --
DR. HOUSTON: No.
DR. ROTHSTEIN: Is it coming up or is it new?
DR. HOUSTON: It is part of the report.
DR. BERNSTEIN: Just on this section for the moment. We will get to other sections if you want to make another comment.
DR. ROTHSTEIN: Is it on this section?
DR. HOUSTON: Yes.
DR. ROTHSTEIN: Okay. Paul and Leslie, we are on the top half of page seven.
DR. BERNSTEIN: On the second paragraph.
DR. ROTHSTEIN: The second paragraph, before clinical data and electronic health records.
DR. HOUSTON: A couple of comments. First of all, in the very first paragraph, I know we are not wordsmithing, but when you look at it, there is some inconsistency that I want to make sure you address.
You talked about hearings in the past year, then you talk about a culmination of an 18-month process. I just want to make sure it is clear that we are talking about -- when I read it, I said was it 12 months or was it 18 months. I want to make sure it is clear.
DR. ROTHSTEIN: I read that, too. The problem is, the report is supposed to only cover 12 months, but the process that we went through took 18 months. So maybe we can clarify that.
DR. GREENBERG: Why don't you just say that you held a number of hearings and just say the time period, whatever it was?
DR. ROTHSTEIN: I think it was like January '05 to fall of '06.
DR. BERNSTEIN: I came in in February of '05, and there was one hearing on this topic in January of '05 before I arrived.
DR. ROTHSTEIN: From January '05 to June '06. The process took place from January of one year to June of the next.
DR. HOUSTON: That inconsistency I think needs to be cleaned up. The other thing too is, you talk about the considerations in the emerging Nationwide Health Information Networks. You said focusing on the privacy and confidentiality considerations in emerging Nationwide Health Information Networks. I thought it was more specific, that the report was related to the Nationwide Health Information Networks.
DR. ROTHSTEIN: That is correct.
DR. HOUSTON: So I think we need to be consistent in what we are talking about.
DR. FRANCIS: Among the testifiers were also health lawyers.
DR. ROTHSTEIN: She said among the testifiers were health lawyers, so we need to add that.
DR. FRANCIS: Experts in health law, something like that.
DR. BERNSTEIN: We said medical informatics.
DR. ROTHSTEIN: Thank you.
DR. HOUSTON: Back to my comments about this section more generally. We talk about what the report covers. Do we want to say, or do you think it is important to make note of any important recommendations out of the report? If you go into subsequent sections of this report to Congress, you will notice that on page ten there are all these recommendations.
So keeping it in form with the rest of the document, there is a summary section on the recommendations, I understand the new format of things, I think it is deserving to make sure that some of the more key recommendations make their way into the report.
DR. ROTHSTEIN: I agree. I think we should not miss an opportunity to say our piece on the recommendations.
DR. GREENBERG: I agree with that, although just to point out that this is a HIPAA report. So this last part, the lessons learned, are all lessons learned from HIPAA. Whereas, the June report was more related to NHIN, though it certainly had HIPAA implications.
DR. HOUSTON: There were some expressed intersections to HIPAA.
DR. GREENBERG: Those you might want to highlight.
DR. ROTHSTEIN: Among the HIPAA related ones are recommendations with regard to business associates and so on and so forth.
DR. GREENBERG: Those could be highlighted.
DR. ROTHSTEIN: Those we ought to play up as opposed to the others. I agree with both of those points. Thank you, John.
Any other comments on this section?
DR. TANG: Do you think you want to allude to the June letter that we are going to be sending? Since covered entities is obviously a HIPAA issue?
DR. BERNSTEIN: We allude to it. We have explicitly talked about it in the first paragraph.
DR. TANG: I guess you're right.
DR. ROTHSTEIN: I think what Paul was saying, am I correct, Paul, that you wanted a preview of what we are going to say in June '07?
DR. TANG: Yes, because the whole point is, we are going to emphasize something we have already stated, but clearly what we are stating has been HIPAA related all along, it is just on uncovered entities.
DR. ROTHSTEIN: I'll defer to Marjorie on this, but I think this is what we did in the '06 report to Congress, not what we are planning to do in '07, is that correct?
DR. GREENBERG: This is true. It covers the period May 2006 through November 2006.
DR. ROTHSTEIN: Right.
DR. BERNSTEIN: Also, in order to talk about that, you would have to have an agreement on that, which you don't have yet. You won't have that until June.
DR. GREENBERG: We don't want to tread any new territory here.
DR. BERNSTEIN: We can report that in next year's.
DR. ROTHSTEIN: Other suggestions? Maya, what is next?
DR. BERNSTEIN: There is a previous section, if we go to page 4, Harry had some significant suggestions about the compliance and enforcement section.
MR. REYNOLDS: Before we read those, one of the things you will see in those comments is how far did we want to go in stating what we have.
DR. GREENBERG: What the terms are.
MR. REYNOLDS: Well, and things we heard in testimony. In other words, I don't think I brought up anything that wasn't in the testimony besides how aggressive we want to be in this letter, and I will have to defer to others to understand that.
DR. HOUSTON: Which section?
MR. REYNOLDS: The one she is about to read.
DR. BERNSTEIN: We are on page four of the report. It is the first subsection in the section on progress since the last report to Congress. The first topic is compliance and enforcement.
DR. ROTHSTEIN: Can you go to the page five version? I think I said something about this, too.
DR. BERNSTEIN: If you did, I do not have your comments.
DR. ROTHSTEIN: Didn't I say to date, no prosecutions have arisen from these referrals?
DR. BERNSTEIN: Harry said that, too.
MR. REYNOLDS: It is right here.
DR. BERNSTEIN: You are apparently of like mind. I'm sorry if I didn't capture your comments. It may be that because I was doing this at home I filed them in a very neat little folder.
DR. ROTHSTEIN: One of the things that I know that I mentioned besides the, to date no prosecutions have arisen from these referrals, is that there have been no civil monetary penalties assessed in any of the cases.
DR. BERNSTEIN: One of the comments here that relates to that that Harry made is that we say 75 percent of the cases are closed, but it doesn't say how those cases got closed. We heard some testimony on it in the last hearing with the data that Sue McAndrew shared with us. Some of them closed because of lack of jurisdiction, some of them closed with voluntary compliance, some of them closed -- I can't remember, David, what the other topic areas were.
PARTICIPANT: After investigation.
DR. BERNSTEIN: Right, after investigation they closed or whatever.
PARTICIPANT: There was a finding of no violation.
DR. BERNSTEIN: Right, there was a finding of no violation. And we know that there have been no cases where there has been a civil action taken.
DR. HOUSTON: Then maybe we should just put in brief those statistics in there, in this section.
DR. ROTHSTEIN: I also think that the NCVHS is on record as not being supportive of the policy of OCR never to assess civil monetary penalties for violations.
DR. BERNSTEIN: I'm not aware of whether the committee has taken that position.
DR. ROTHSTEIN: I would like to read you something from page 12 of the June letter. At least in the context of NHIN, we said, OCR attempts to resolve those problems that lead to complaints directly with the covered entities. We applaud the focus on improving the protections --
DR. BERNSTEIN: Could you slow down so they can hear you on the phone?
DR. ROTHSTEIN: -- at the covered entity level. Nonetheless, prospective general improvements by a covered entity often do not satisfy the individual who makes the complaint, nor reassure the public that the law is being forced adequately.
So I do think that we are on record as having issues with OCR policy.
DR. HOUSTON: I don't read that as having issues with OCR policy.
DR. ROTHSTEIN: You don't?
DR. HOUSTON: Maybe it is just an issue of tone of how we are saying it. I think we have concerns that individuals don't feel as though their privacy protections are being adequately afforded or are being addressed.
DR. ROTHSTEIN: I am very happy to say that, something like, the testimony that we have heard consistently is that the public is concerned about the lack of enforcement in protecting their rights, or something like that.
DR. HOUSTON: I think that is more fair than to say NCVHS has made --
DR. BERNSTEIN: We can quote the exact language from the report, which has been voted on and blessed, essentially, and say the report found the following.
DR. ROTHSTEIN: So you put that in? We are all going to have another crack at this in February.
DR. BERNSTEIN: My hope is that when the new version comes around, it will be in advance of the February meeting. People will have an opportunity to have looked at it before they arrive, and will then come prepared.
DR. HOUSTON: Can I suggest that for the Privacy Subcommittee's work that you highlight the sections that are applicable to privacy specifically? The reason why I ask that is, I want to focus my comments on those things that relate specifically to privacy. When I read it, I tried to just look at the things related to privacy. I understand the other things are the purviews of the other subcommittees in certain cases.
DR. GREENBERG: You are going to get this. We will send it to you, the whole thing. Debby will probably send it out, so I don't think one section will be highlighted over another.
DR. HOUSTON: Okay, I'll just restrict my comments to those things which I feel are --
DR. BERNSTEIN: Right, but for example the privacy section is separate from the compliance section. The compliance section covers both administrative simplification and privacy compliance. So you have to pluck out the parts that are going to be relevant. I suppose I can highlight them.
DR. HOUSTON: Don't worry about it.
DR. GREENBERG: When you send your revisions to Jim Scanlon, they are going to look like this. You could CC the subcommittee. That doesn't mean they shouldn't respond at that point, but then --
DR. ROTHSTEIN: Just a heads-up on what it is going to look like somewhere. Other additions or corrections? I am going to have to go back home and take a look at my hard copy markup.
DR. BERNSTEIN: Did you send me your copies electronically?
DR. ROTHSTEIN: No, I handed them to you at our last full committee meeting, because I had made them on paper copy in advance at the meeting.
DR. BERNSTEIN: I'll go look for them again, Mark, I apologize.
The other thing, Harry, we talked about was that even previous to this, earlier on page four, the first place we mentioned NPI.
MR. REYNOLDS: Yes, but that doesn't relate to this. Just for purposes of expedition, we should cover that statement of security.
DR. BERNSTEIN: Okay. Then is there anything else on the compliance and enforcement section that somebody wants to add?
DR. HOUSTON: No. Can we go to outreach then?
DR. ROTHSTEIN: Are we ready for outreach?
DR. HOUSTON: Even though it is more of a security than an outreach thing, but since Harry is in the room, too. My only concern is, it says with respect --
DR. ROTHSTEIN: The second sentence under HIPAA outreach and education on page five.
DR. HOUSTON: With respect to security, HHS has published as series of educational materials that address all aspects of security. I don't like the word all aspects of security, because it sounds like it is more comprehensive than it was. It was good, but --
DR. BERNSTEIN: Anyone object?
DR. ROTHSTEIN: Anything else on the letter at all? So without hearing any objections, we will go with the plan that we discussed earlier and that Maya will write up the revisions based on our discussions and pass them along to Jim, and then we will consider them again in the full version.
Let me thank you, Maya, for your work on this, and announce that it is my intention to take up the last of the issues on our agenda and adjourn no later than 4:30. So those of you on the Internet and elsewhere can plan.
Agenda Item: Subcommittee Discussion of Strategy, Next Steps
One issue that we had deferred that I want to take up now is the issue of research strategies. You will recall we had at our hearing the testimony of the research methodologists. Let me give some background for Leslie's benefit and others.
We have four many years recommended to the Secretary in a series of letters, at least two or three that I can think of that the Department undertake a research program to study qualitatively and quantitatively the privacy rule and its effect on individuals, on covered entities, on the health care system, the economic effects, whether people are feeling more confident that their privacy is being protected, whether it interferes with clinical care, and so on and so forth.
Nothing has been done in that regard. We discussed last year the idea that maybe we could increase the likelihood of something happening in terms of a research program, given the magnitude of the task, if we could point the direction of such a research program and say, we heard from experts and a research program we think ought to consist of the following five elements, whatever they might be.
So that was the purpose of the hearing. We did hear testimony from some experts who confirmed to us that studying this question is perhaps even more daunting than we thought. Now the question for the subcommittee is, what if anything should we do now that we have heard from the experts.
John, you had a comment on this?
DR. HOUSTON: I'm not sure if I did or not.
DR. ROTHSTEIN: Maybe you just want to know if it is being dropped.
DR. HOUSTON: That is more of it. I think we heard from testimony; do we want to make a recommendation.
DR. ROTHSTEIN: I'll give you my opinion. It was my perhaps optimistic or naive or some view that we would be able to put some recommendations together in this regard, and after the hearing I felt and continue to feel quite discouraged at the lack of expertise that we have to formulate such a recommendation.
I think I would continue to stand by our recommendation in principle, but I don't think it is a fruitful enterprise for the subcommittee and the full committee to try to even sketch out the parameters of what such a research program would look like. It was so complicated and so laden with on the other hand and footnotes and asterisks and so on, that even though it was my idea, I will take the responsibility for it, --
DR. GREENBERG: I suggested it too.
DR. ROTHSTEIN: I think it was worth exploring and we learned from the process, and I just don't think we ought to pursue it any further.
MS. WATTENBERG: Was there a particular question that was being asked when you proposed the research?
DR. ROTHSTEIN: The particular question was, how if at all could you set up a system to measure in any meaningful way the effect of the HIPAA privacy rule. We got some very complicated answers.
DR. HOUSTON: I think we all agree that it is going to be overly complex to try to retrospectively -- is it worth making a recommendation as we move forward on some of these initiatives like the NHIN and et cetera, that we make a recommendation that they should retrospectively put the measures in place to be able to assess privacy effects on new projects.
DR. ROTHSTEIN: Let me quote to you from recommendation 26 on page 16, which says, HHS should establish and support ongoing research to assess the effectiveness and public confidence in the privacy, confidentiality and security of the NHIN and its components.
DR. HOUSTON: That is what I said.
DR. ROTHSTEIN: Thank you.
DR. COHN: Mark, I am delighted by your proposal. Not surprised, but delighted. I think you are right, I think the complexities of what is going on in the environment, especially given the fact that there are overlapping state as well as federal laws and all of this that made measurement almost impossible.
Having said that, I think as we begin to look at issues as we go forward, there may be value to particular types of statistics. I am reminded in the previous hearing you wanted to know what happens to -- what is really happening at the Department of Justice about cases referred over there. I can imagine getting some quantitative information around the tracking of disclosures, given that has been historically more controversial pieces of the HIPAA implementation, just to see about its utility and all of that, but that is on a focused, issue based level as opposed to an overall review of overall efficacy or whatever other measure we may hold this to.
DR. ROTHSTEIN: Just to respond to Simon, I agree with you, Simon. I don't want to abandon the notion that we couldn't ever use data to review enforcement or other functions under HIPAA. What I am prepared to abandon is this global idea, this notion that we can use data to answer these big questions. I think it is somewhat quixotic, after hearing the experts.
DR. BERNSTEIN: I want to remind us that what I remember from the hearing is that, yes, we had trouble looking retrospectively at HIPAA, but there were several suggestions made about how to go prospectively doing a study. Even though yes, there is a recommendation in our previous letter, I think it is sort of amorphous and attenuated and not very specific.
But I don't think it would fall on deaf ears to have a more specific suggestion that now is the time to start collecting data to have a baseline when there are people who are not yet having electronic records, and where we could get from baseline, and we won't be in the same position again where we can't measure something five years down the road because we didn't start now.
You could have some small pilot project. There might be funding for that stuff, as I understand. In this year who knows, because we are under a CR, but there are research monies available. I think various pockets of people in the Department are looking for good ideas. Certainly this fits in with the Secretary's top ten priorities, and would possibly support his health IT initiative.
I can't speak for the Department and say yes, it will be funded immediately if you were to propose that. But I think if you made a more specific proposal that were more tailored, and perhaps with some of the help of the testimony about how you would go about prospectively doing that, it might be more helpful. Just my thoughts.
MS. WATTENBERG: There may be some specific kinds of research questions you can ask, like physicians routinely collect client satisfaction surveys, and you could do some study on, since the introduction or advent of HIPAA, has client satisfaction gone up or down, and is there a way to draw a causal relationship, or in terms of research has there been a reduction in client subjects in certain kinds of research since the advent of the HIPAA privacy rule. You could ask some very targeted questions.
DR. ROTHSTEIN: Here is where we start getting into problems that were illuminated at the hearing. You get into all this selection bias and so forth. I just think --
MS. WATTENBERG: Every study has to be completely methodologically perfect in order to be useful. It depends on what the question is that you are asking.
DR. BERNSTEIN: We also heard that it is possible to add a question or two that might be useful onto existing studies. The selection bias is not there because the Department is reducing that because of its statistical expertise and so forth.
DR. ROTHSTEIN: I think that if the Department wants to do this and wants to use us as support for doing that, we have given sufficient approval and enthusiasm and go-ahead to do it.
Paul and Leslie, any contradictory views?
DR. TANG: I don't know where you ended up. You are or aren't going to do it?
DR. ROTHSTEIN: The way we have ended up is, we are not going to proceed with the research issue.
DR. TANG: Okay.
DR. ROTHSTEIN: We have committed to get these two letters out by June, but these letters do not require any additional hearings. It is based on work that we have already done.
Let me suggest that I think it would be appropriate for us to give some thought to additional topic areas that we might want to consider having hearings on and working out letters that perhaps we could shoot for in the September meeting of the NCVHS. I know Harry has got some ideas.
Let me present one -- and John has some ideas, let me nominate one. That has to do with the issue of mental health information. The HIPAA privacy rule currently has a special provision. There is only one class of health information that is not subject to the disclosure of HIPAA privacy, and that is the psychotherapy notes.
In order to qualify for non-disclosure as psychotherapy notes, those notes have to be maintained by a quote mental health professional. It seems to me that we need to think about whether that was the appropriate way to consider this class of highly sensitive information.
In particular what I am referring to is the fact that much mental and behavioral health guidance and counseling is done not by mental health and behavioral health professionals, not by psychotherapists, but by primary care docs, by ob-gyns, by family care physicians and so forth, and that information can be quite sensitive and is not subject to any additional level of protection.
Now, I'm not recommending anything at the moment, other than that we should perhaps consider holding a hearing where we hear from primary care docs and psychiatrists and maybe substance abuse counselors and so on, to see whether that might be an area that is appropriate for a recommendation.
DR. HOUSTON: Just so we are real clear on this, psychotherapy notes are a very specific class of mental health information. You were talking like if it only occurs with ob-gyns and with PCPs, that it would then be covered.
DR. ROTHSTEIN: No, what I am suggesting is that instead of saying that the exceptions for psychotherapy notes, maybe the exception for mental health treatment.
DR. HOUSTON: I understand that, but my point is even more specific than that. Even if you are in a psychiatrist's office or you are in a psychiatric facility, that information itself isn't covered any differently than regular medical information. You don't even have to be outside of that setting in another environment. It wasn't clear that you were saying that
DR. ROTHSTEIN: I may have and probably did say that inartfully. The question is whether, knowing what you know and knowing what you think I know, is that an appropriate topic for us to consider for a future hearing.
DR. HOUSTON: Yes.
DR. FRANCIS: Yes, I think it is a very important topic.
DR. HOUSTON: The only expansion of that would be, do you want to entertain other types of sensitive information other than mental health.
DR. ROTHSTEIN: That is a very good question, whether we should go beyond that and consider other sensitive information. One can think of a dozen other types of sensitive information.
One of the things that -- I am of two minds here. In my writing over the last 20 years I am on the record as being opposed to the balkanization of medical records, because I think it increases the stigma associated with mental health, not just mental health but genetic information and all sorts of other things. The more we separate them, the worse things get. So I am on the record already as saying that.
But having said that, as long as we are going to carve out something, I'm not sure that the way it has been carved out is the appropriate way. I come to this with no preconceived amendment in my head, only the idea that maybe this is an area that we ought to take some testimony on, that's all.
DR. TANG: Can I ask, are you saying that you would want to have this information covered in say progress notes of primary care providers?
DR. ROTHSTEIN: Well, the answer is, I don't know. That is why I am thinking of -- I am just asking the question.
DR. BERNSTEIN: If I can recommend for the next few minutes that instead of discussing each one of these topics, if we could brainstorm some other topics that you might want to cover in the coming year or coming half year after June or whenever we can set up hearings. Our time would be more productive than if we have discussion for each one. The point is, we don't know yet.
DR. TANG: But are we deciding whether to have hearings at this point? I think that is a big danger, opening up HIPAA again.
DR. ROTHSTEIN: What we are deciding is what areas of health privacy we think are appropriate for the subcommittee to consider in 2007. You can use whatever study you want in deciding whether you think that is an appropriate topic. But all I am saying is that we now have one suggestion, and the floor is open for other suggestions. Then once we have them, we will see which if any of these we want to follow up on.
DR. TANG: We are going to have some act before we pursue it?
DR. ROTHSTEIN: We are going to get a list of possible topics from the subcommittee members and then we are going to decide which ones we want to follow up on and in what order.
DR. FRANCIS: I don't know if this is something the committee has already done, something that is irrelevant or silly for it to do, but ways to get lots of information in infectious disease surveillance.
DR. ROTHSTEIN: Can you explain?
DR. FRANCIS: What I mean is that there has been a lot of interest in increased monitoring or getting data on everything from patient shift in thinking about HIV testing to opt out rather than opt in, relating to the ways that have been promulgated about what might happen in the time of a pandemic, if there ever were a pandemic.
This is a very general area that would obviously need to be thought about in making some decisions about what or where, but everybody is always eager to get the data. If there is a worry about exceptions, there are huge privacy considerations. I don't know whether anybody has looked at that whole raft of issues from a privacy perspective or not. One of the reasons people are interested in even in NHIN type data is surveillance.
DR. ROTHSTEIN: I think that is a very important issue, and in fact, one of the AHIC work groups on biosurveillance took up this specific issue. I think it would be certainly fair game and reasonable for the subcommittee to consider what they came up with. As you say, in November of 2006, CDC changed its policy on HIV reporting, so that certainly would be reasonable for us to take a look at as well.
So we have got another one on the list, and also on the phone. Gail?
MS. HORLICH: I don't have another one, but I did want to add that AFTO is thinking about planning a meeting to look at privacy issues associated with pandemic preplanning. So I think it is a very important issue. I also definitely agree that we should look at the mental health issues.
I am going to have to sign off in a couple of minutes, but it has been a great meeting. I just want to thank you for letting us follow along on the line.
DR. ROTHSTEIN: Thank you for following along, Gail. I hope to see you in February.
MS. HORLICH: Thanks.
DR. ROTHSTEIN: Bye. Who was next?
DR. HOUSTON: Just a comment, not a suggestion for a topic. You had indicated that there is a GAO report coming out as well as some testimony. We should probably be open to the fact that we might find things in those reports that will lead us to want to maybe investigate some things. So I just want to --
DR. ROTHSTEIN: Keep some powder dry?
DR. HOUSTON: Yes. That is my only other comment.
DR. ROTHSTEIN: If you didn't hear on line, that was a suggestion that we not overly commit ourselves in light of new reports that might be coming down.
MR. REYNOLDS: I have got a subject I am struggling without a frame. We have asked over and over again for information on compliance issues that are out there, and we continue to hear the numbers.
How do we raise the water level in the industry about understanding the HIPAA process? In the real world, minus case law, minus clear examples, minus any of these other things that are going on, we are all barreling forward, and everybody has spent a lot of money and everybody is watching it close, but nobody knows if they are watching the right place.
We all flippantly say, and we heard it again today, people don't know how to implement it and they are not sure. I am becoming a little tainted by the fact that that is just so easy to say, and that is what everybody has accepted. I think the thing we try to do in this committee is try to make some difference in raising the water level for everybody, and I don't see that happening.
I think we have asked in numbers of different ways. We have asked for reports. We have asked for stuff that we could help people see. But again, being on the ground in the real level, it is still an empty field. I think everybody we heard testify -- if anybody went into a doctor's office, and we could all go around the room not saying why we went in, you would chuckle, either chuckle or cry about what this thing means. I don't know how to turn it into an action, but it is something that has not translated well into the real world.
DR. ROTHSTEIN: Harry, I agree with you. That was part of the justification or the impetus for my research study that didn't pan out. Yes, we all know this from experience, but how can we make sense out of these anecdotes and try to figure out a policy to go forward?
I would argue that we are still paying the price for a lack of adequate outreach and education when the privacy rule was rolled out. We had many very colorful hearings on this issue. I'm not sure how much better things are.
To be brutally honest with you, the only comfort that I think some providers have with the privacy rule is the fact that even though they don't understand it, even though they don't know what they are supposed to do, even though it is a mess, at least nobody is going to come after them and assess them any penalties.
DR. HOUSTON: That is pitiful, too.
DR. TANG: I may be hearing two different things, and perhaps it is just a hearing problem. What I heard you talk about in your research, Mark, was to try to assess the effectiveness of privacy protection. What I hear Harry talking about is assessing the public's understanding about privacy and privacy issues and the risks that they may have with certain behaviors.
I think you are right that the former, the one assessing the effectiveness of privacy, is much harder. The latter, the one that I hear Harry talking about I think may be easier to ascertain through surveys and those kinds of techniques, and could be as important if not more important.
So to the extent that the public understands both the issues and risks of individual behaviors, it could do with what they put into their PHR, sponsored by whom, so on and so forth. Then we have a much bigger group of folks that can influence what is and isn't offered in the market.
So I was thinking that it may actually be potentially more effective to make sure one, we assess the public's understanding and two, that we influence and educate them on both the issues and the risks of individual behaviors. That might be a more effective way of achieving privacy.
DR. ROTHSTEIN: Harry, did you want to respond?
MR. REYNOLDS: I wasn't really going to the research aspect. We still have 22,000 complaints that came in, regardless of how they were adjudicated, to get information about. So you don't have to do a survey, there is a lot of stuff out there, what was right, what was wrong, what was good, what was bad.
Again, translating some of that and putting it on the street, de-identified, it doesn't matter, gives people a structure. Those that were dismissed, good.
DR. BERNSTEIN: Harry, I am asking you to clarify what you are talking about. You are suggesting that OCR or somewhere in the Department, that they take the factual scenarios from the complaints or whatever facts were ascertained from an investigation, and put the fact pattern out there explaining that this is an okay practice or this is a not-okay practice, and here is what will happen to you?
MR. REYNOLDS: It is not what will happen to you.
DR. BERNSTEIN: It could be.
MR. REYNOLDS: Again, if there is no learning on the street, there is just people playing at it. I'll tell you, there are a lot of people that spend a lot of money, and they are not sure that they are playing or they are not sure they did a good job.
DR. ROTHSTEIN: Harry, I have a suggestion to make. I think I know what you are saying. That is, explore with OCR the possibility of making FAQs or guidance documents out of actual complaint scenarios that have been submitted to them so that -- in the law we sometimes call these advisory opinions, saying that this is okay or this is not okay. Somebody complained that their doctor did this, and we think that so long as he or she didn't do that, that is okay.
MR. REYNOLDS: It is obvious we are not going to get case law, so let's have business practice. But let's have something that raises the water level and raises peoples' sense of understanding of the kind of pitfalls that are out there, which may have been dismissed as not issues, or the ones that were recommended and somebody changed them. That is great practice.
It is hard to keep sitting here watching that number go up and then a lot of people sitting in other places not knowing --
DR. ROTHSTEIN: Let me just comment, and then we'll go to Marjorie. In November, we agreed that we would try to push for a meeting with Sue McAndrew to talk about a better use of complaint information at OCR. That meeting has not yet taken place.
Would it be consistent with your suggestion, Harry, if we put that on the agenda as one of the items to raise with her?
MR. REYNOLDS: Yes, and as a committee we get something done this year.
DR. ROTHSTEIN: Thank you.
MR. REYNOLDS: Yes, that is my recommendation.
DR. BERNSTEIN: I believe there was some subset of us that were going to meet with her. Simon, you, maybe me.
DR. ROTHSTEIN: Right.
DR. BERNSTEIN: I don't know what your schedules are like in early February, but I know that you will be in town for the full committee meeting, so it might be possible to have that meeting then. I'll try to coordinate that with you.
DR. TANG: I would be interested in it as well. I think that is a great idea.
Something to even add on to that, there is a certain amount of barrier to submitting one of the reports, the 22,000. There may be another 100,000 out there. Could we also design a mechanism to have certain things, let's say some of these contracts that I have seen put through this hopper, and even just a commentary on such a practice, and to be part of the bigger learning set, the difference between adverse events and near misses. There are a lot of near misses out there that could be very educational.
DR. ROTHSTEIN: Thank you.
DR. GREENBERG: I certainly think you should pursue the meeting with Sue. The specific recommendation unless I was hallucinating or something, I think I recall your making it during a meeting, that you look at the scenarios, not specific, not identifiable, and then develop categories and maybe FAQs. I thought she said that was one of the approaches they were taking, which is that if it was a common concern or something that they felt needed clarification, they were developing FAQs.
But again, I didn't completely hear what Paul said, but I do think that 22,000 is the tip of the iceberg, not necessarily for egregious things, but for whatever was intended by the HIPAA privacy regulation not playing out.
For example, this whole notice thing. We keep hearing about that. What I am saying is, there are a lot of things going on that don't rise to the fact that someone is going to level a complaint, but undermine what value we had hoped the whole notice and policy would have.
Harry triggered this with me. I went to a doctor I hadn't seen before. When you go to doctors you haven't seen before, you forget. I got something to fill out, and I was supposed to sign that I had received their privacy policy, but they didn't give me anything. Most people just go duh, but since I am in the field that I am in, I did go up to them and say, I am supposed to sign here that I received this, but nobody gave me anything. They said oh yes, and they gave it to me.
It does undermine; either people sign it and say they didn't give me anything, or they don't sign. I'm not going to raise a complaint about this to OCR, for goodness sake, because they did have one. But I think it is an example.
I am still wondering, going back to your research issue and rejecting a lull for the committee, because this is such a skewed sample or non-sample, a skewed cohort of the people who have raised complaints. I still think it is worth mining it more. Even the FAQs, does the average person go out there to look at the website, maybe people in the industry do, but I really wonder if it isn't worth exploring, particularly in light of what Maya said about, there may be some funding, adding some questions to something like the health interview survey which is a representative sample of the population. Not everybody in the health interview survey, in fact, probably the majority, have not had a health care encounter in the reference period, maybe the last two months or something, but to ask some questions that maybe get at this area of just the policies and the fair information practices and peoples' views on what their experience has been.
That then gets into another venue. It could get into articles, it could get into the newspaper. Things from the HIS are published all the time. It could get into the MMWR, not as an attack, but as hello, this is what is going on right now in a representative sample of the population.
Again, it is fraught with problems. You don't have the baseline, blah, blah. But I don't know if you should just reject it out of hand.
DR. ROTHSTEIN: No, I think that is fine. We talked about that at the hearing in November, you will recall.
DR. GREENBERG: Yes.
DR. ROTHSTEIN: I think that would be wonderful. I don't want to reject that out of hand, I want to support that
DR. GREENBERG: It wouldn't necessarily be definitive about the effectiveness of the regulation, but it could have more generalized information about people with experience.
DR. ROTHSTEIN: Do you think the committee needs to recommend that before Ed or whoever is in charge of signing off on that says we are going to do it?
DR. GREENBERG: No, I think what it would require is maybe the subcommittee meeting with people from the health interview survey and maybe some people from ASPE about what kind of questions realistically could you ask. You could test questions in the cognitive lab.
It requires some money. NCHS doesn't have that money in their budget right now, but people add questions all the time. ONC adds questions to the ambulatory care survey about the penetration of the electronic health records. I think it would need a little more exploring. It may be that in exploring it you would be convinced that there isn't anything you could ask that would get good answers that would be worthwhile.
We haven't done that. You had the one hearing or some testimony during the one hearing. I am just thinking, because I am reacting to Harry's frustration; we keep trying the same things and bringing up the same issues, and nothing seems to be advancing. This would be a different approach, and the results if it were done would have a different audience and might raise the consciousness a little bit more and might lead to more active response.
DR. ROTHSTEIN: I certainly would support that. I'm not sure what you are suggesting. If you are asking, would the subcommittee and/or its leadership be willing to work with you and ASPE and so on, absolutely.
DR. GREENBERG: I think it should be done. This is a federal advisory committee, so it should be done -- unless it was just one person doing it, but if it was the subcommittee, it should be done in the usual way. But you could do it in a working session of the subcommittee. You could ask to have some slates. That is a huge sample that you can add a few questions to.
So I'm just saying, it could merit a little bit more exploration.
DR. HOLZMAN: If you will indulge me for a moment, I'd like to return to Ms. Greenberg's comment --
DR. ROTHSTEIN: For the record, could you state your --
DR. HOLZMAN: I am David Holzman. I am with OCR and I am representing Sue McAndrew.
Ms. Greenberg, if you had reported your concern regarding the encounter in your physician's office regarding the notice of privacy practices, that complaint would have been fully investigated.
DR. GREENBERG: I realize that.
DR. HOLZMAN: And frankly, that is how OCR receives complaints regarding concerns about the privacy rule and how it moves forward.
DR. GREENBERG: I realize that, but being a completely complaint driven system, my point was that for every complaint that is made, there are thousands and thousands of people who don't feel they were harmed, and so they don't report it.
The problem with it is less that any harm was done, but that it undermines what we are trying to accomplish. I don't doubt for a minute that if I had submitted a complaint, the OCR would have dealt with it in an appropriate way.
DR. ROTHSTEIN: Thank you. Simon.
DR. COHN: Just to try to pull us out of some of this stuff, I had not seen this occasion to be a time to come up with all the answers, but to identify the next steps. I agree with Marjorie that a very reasonable next step is for the subcommittee to invite somebody from NCHS who is involved with survey work to talk about what can be added to surveys. That can be in the next session, but I will defer to you on how best to approach that.
I did want to comment. It doesn't look like we have time to prioritize, but I am hoping the privacy subcommittee does have a breakout and that there will be a listing of these things that can be further discussed.
I did want to reflect on the hearings today. Even though I know we are going to produce a letter on this issue of non-covered entities, I do think that this is a rapidly enough evolving area that if we are going to be doing hearings between now and our June meeting, that we might want to have one session to revisit some of the discussions and see if there are any updates or changes to the landscape as we prepare a letter in that area. So just a suggestion on that.
I think finally, I would redouble what John was commenting on. Not knowing what GAO is going to be reporting, that may be something that we do need to make time for during the session, or even maybe something gets elevated to the full committee discussion either sooner or later.
DR. ROTHSTEIN: Let me see if I can summarize what you said, Simon, in the interest of time, and actually take it a step further.
Suppose at our breakout session at the full NCVHS committee meeting we start out where we already have two agenda items for consideration of future activities -- we are not going to do anything for the next two weeks -- that is, the mental health substance abuse notes issue and the infectious disease biosurveillance privacy issue. So those are on the table. In addition, we are going to pursue a meeting with OCR leadership on the issue of trying to use the factual scenarios from complaints for guidance purposes.
MR. REYNOLDS: One other thought. We did the letter of privacy on the NHIN, and we did it out of a nice high level. Possibly considering at some point having a diagram put together of how stuff may really flow through the NHIN. In other words, you have got RIOs and you have got the system of systems, and maybe in one of our discussion sessions put that up on the wall and walk privacy through that at a little more realistic level of where data might reside and how it might work, to make sure that we haven't missed something big as we have talked about privacy.
DR. GREENBERG: Will this come out of these presentations later this week on the architectures?
MR. REYNOLDS: It may. We may want to take one of those charts that comes out on these different architectures, and maybe some time for discussion here. There is the overarching subject and the idea of the pieces, and then there is some reality starting to flow. I call them filters. It doesn't hurt the filters one level down to say, does our umbrella miss anything.
It is a little bit like case law, where it is starting to come clear how people are going to do it. So it wouldn't hurt just to go through a couple of those, or any charts that come out of the ONCHIP meeting, and just say, did we miss anything. It may be a 30-minute discussion, it may turn into something where we said, oops.
DR. ROTHSTEIN: How about if I propose the following, that we already have two possible hearing topics, and for our subcommittee discussion that comes up in February, I would like to add two additional topics. One is the use of survey data from the national health interview survey or other sources, and maybe get somebody to one of our meetings. The second, using the architecture models for a privacy reassessment.
MR. REYNOLDS: Maybe that is later in the year. Again, we are putting out things to do. I'm not saying this is something we have got to do right now. I'm just saying that as we are laying out this year, I think within this calendar year, this is a subject that we ought to take a look at.
So I'm not pushing to all of a sudden slam it into the next hearing, but I think it is a subject that this committee ought to take as these things become a little clear. So I'm not pushing to add it to the next --
DR. ROTHSTEIN: So that is four items that we have got for consideration at our breakout meeting.
DR. BERNSTEIN: I just want to point out that the second topic, on infectious disease surveillance or other kind of public health uses, is one of those things that falls into the concept of secondary uses, depending on how you define it, and various people are defining what is a secondary use differently.
So as a privacy person, anything that is not the reason for which it was collected is a secondary use by me. That includes, if information is collected for a clinical purpose and it is public health, that is still within the health realm as a secondary use, or if it is for marketing or it is for your bank or God knows what, all those are secondary uses or maybe tertiary.
But other people define secondary uses to be either narrow or wider, and I think there is a lot of overlap in what various committees are doing. If we were to take up the issue of infectious disease surveillance, we are slicing that concept of secondary uses, we are picking one of them. It is an important one, but there are other ones, too, if you want to start exploring those areas.
DR. ROTHSTEIN: We are not committing to anything yet. There are initiatives in the works now at the Department that will influence how we go on any one of these issues. All I'm trying to do is put together a slate of things to keep our eye on and take another look at, at our February meeting.
Leslie or Paul, suggestions?
DR. FRANCIS: No.
DR. TANG: No.
DR. ROTHSTEIN: Amazingly, that brings us to the end of what I consider to be a very productive and interesting day. We did get a lot of work done. We heard a lot of interesting testimony and we have some very important steps to take to go forward.
I want to thank Maya and the staff for putting together a very interesting hearing. I want to thank our support personnel for operating under very trying circumstances. I want to thank Leslie for attending virtually her first subcommittee meeting, and we look forward to seeing you at the full committee meeting.
Paul, I hope you are feeling better, and looking forward to seeing you in a few weeks. I want to thank Marjorie and NCHS for hosting us, and our staff. We will meet at 8 a.m. at the full committee meeting.
Thank you. We are adjourned.
(Whereupon, the meeting was adjourned at 4:40 p.m.)