Sheraton City Center Hotel
1143 New
Hampshire Avenue, N.W.
Washington, DC
Committee:
Don E. Detmer, M.D., Chair
James Scanlon, HHS Executive Staff Director
Marjorie
S. Greenberg, Executive Secretary
Hortensia Amaro, Ph.D.
Jeffrey S.
Blair
Simon P. Cohn, M.D., M.P.H, FACP
Kathryn L. Coltin
Kathleen A.
Frawley, J.D., M.S., RRA
Robert M. Gellman, J.D.
Richard K. Harding,
M.D.
Lisa I. Iezzoni, M.D., M.S.
John R. Lumpkin, M.D., M.P.H.
Clement
Joseph McDonald, M.D.
Vincent Mor, Ph.D.
Barbara Starfield, M.D.
George
H. Van Amburg
M. Elizabeth Ward
Liaison Representatives:
Robert Moore, HCFA
Harvey Schwartz, Ph.D.,
AHCPR
Call to Order, Welcome and Introductions, Review of Agenda - Dr. Detmer
Update from the Department and HHS Data Council on Data Standards Component - Dr. Braithwaite
Discussion of Recent NCVHS Recommendations on Privacy and Health Data Standards - Dr. Detmer
Response to OMB Recommendations for Changes to Directive 15 - Dr. Iezzoni
Discussion of Proposed Recommendations on Health Data Security Standards - Dr. Lumpkin
Report from Public Education Work Group - Ms. Ward
Planning and Implementation - Ms. Coltin
DR. DETMER: What I would like to do is just start by doing our usual routine of introducing ourselves, including our guests in the audience.
Typically what we do, if you haven't been to our meeting is in the past is on occasion take comment from the audience, particularly if it is somebody that is helping us on a staff issue related to a point that we are discussing. We also give the general audience an opportunity before we adjourn to be recognized and make comments that they may want to have about our deliberations.
[Introductions were made.]
Thank you very much.
I do want to assure folks that it does look like progress is being made in redoing the conference rooms in the Humphrey Building. I think our movement around the city one of these days will actually be ended, and we'll be back at least and on our given lily pad.
I want to review the agenda first before we get our update from the Department and the Council. The agenda -- we'll start obviously after these updates -- approving our minutes, and then just discussing what has happened since our first set of recommendations relative to the Kassebaum-Kennedy legislation went out in June.
Then we'll be taking a break, and moving on into starting to look very seriously today at the recommendations for health data security standards. The concept is that we would like to see us act on that tomorrow, if that in fact is going to be acceptable to us as we move forward.
There is also an action item that we will want to relate to from Dr. Iezzoni and her group relating to the OMB recommendations on changes to Directive 15, and we would like to try to deal with that.
DR. IEZZONI: Don, the draft letter that is in the packet is an old draft. So we're going to need to get the committee the new one. It has significant differences.
DR. DETMER: Yes, that's good. Maybe what you can do then is as we go through the new draft, you can refer to where the changes are, if that's okay.
MS. GREENBERG: Yes, this is what we had when we sent out the agenda books, but there is a new draft; Lynnette has it, I know.
DR. IEZZONI: Will it be available?
MS. GREENBERG: Oh, yes.
DR. DETMER: So that actually will be an action item as the new draft is available to us.
We also have a couple of work group reports that Elizabeth Ward has been working on with a document I would like to see us actually look at and approve. It has to do with some of our process on the way we just relate to the external world on some of our issues, and also then, planning and implementation as well.
The committee will then break out into subcommittee work the rest of the day, and we'll adjourn from the subcommittees this afternoon.
I will unavailable actually tomorrow, so Dr. Lumpkin is going to be chairing in my absence tomorrow. We will be hearing from a panel on public health performance measurement and data. I'm sorry I won't be here tomorrow; I didn't intend that, but the university is having a vice president's retreat, and I need to be there.
In any event, we will also be looking at future meeting dates, and then getting reports back from the subcommittee, and as I said, hopefully approving the data security standards, and also recommendations on the national payer identification, and start as a last item, a very important discussion relating to where things seem to be at this point -- not for action -- but looking at the issue of unique identifiers and data content before we then adjourn.
That is my sense, at least, of the work we need to accomplish. Have I missed some things that you are aware of, Jim?
MR. SCANLON: Is that pretty much it? Do you have anything to add?
MS. GREENBERG: I think the only change is that David Garrison is not able to be here this morning, and will be here tomorrow morning.
DR. DETMER: I don't think John is going to be here either.
MR. SCANLON: John is kind of tied up at the Humphrey Building, but he will be here. I can give a very short report, and then John will be here tomorrow to talk about where we are with privacy in more detail.
DR. DETMER: Okay. Are there questions or comments about the agenda?
If not, why don't we move ahead then with update from Dr. Braithwaite.
Bill, nice to see you.
DR. BRAITHWAITE: It's too bad that John is not here, but he is back at the office busily working with the secretary on the privacy report, which she is going to be presenting in testimony to the Congress on Thursday I believe it is, but hopefully, he can be here tomorrow to give us an update on that.
With respect to the standards, we're making quite a bit of progress on the standards since the recommendations from the committee came to the secretary's office in June. That was very helpful, by the way, to have those recommendations. I don't think there are any recommendations that are being considered by the implementation teams at the moment that are contrary to what this committee recommended. So things are really moving along in those directions.
We are fairly well on schedule. We now have reduced the number of proposed rules that we expect to put out from 12, which was our original estimate. We have been able to condense that quite a bit given the decisions that have been made, and we now expect five or six rules to come out: one rule which will cover all the transaction standards; one rule each for the identifiers that need to be put out; and a separate rule for security standards.
They are pretty much on schedule as we spoke before, in terms of being published by the end of October, with a couple of exceptions. One of those is the employer identifier, which we're in negotiations with the IRS on the use of that. So if those go quickly, that will be out on time, and if not, it might be delayed a little bit.
The last one is the individual identifier. The Department has been reluctant to take a particular stand on that until we get the report from this committee, and have some more deliberations on it. So we may not be able to get that one out on time, but the others will be on time according to our current schedule.
There are some cross-cutting issues that have come up, some of which we have mentioned briefly in this meeting before. Since there are no other speakers this morning, I can take some time to explore a little bit with the whole committee, and let you know what they are, and where we are going with these.
The first one is the infrastructure issue. That is, if we set up standards for individual identifiers, for payer identifiers, and so on, particularly we set up a data dictionary, we set up a mechanism for making really available to the public the implementation guides to implement the transaction standards, those all require an infrastructure and somebody to support and pay for the active and the databases and the connections to the network and all of that.
So we are trying to define where those responsibilities lie. This is kind of a second order question. Now that we have decided what the transactions will be, and what the identifiers will be, it is a matter of fine tuning the rules that lay out what those standards are, but now we have to worry about the infrastructure to support those standards.
In some of those cases, the government is the appropriate place to provide that infrastructure. We believe, for example, that for the payer identifier and the provider identifier, it is probably the government's role to support the infrastructure to support the database and the access to it. There is a bunch of funny rules about who we can charge what for doing that. So we are having to worry about all of those details right now; and we are.
There are other things, such as the infrastructure for testing the standards. Once the private sector community has started implementing those standards, Party A would like to know that Party B's transmissions are in fact compliant with the standard before they start complaining about them, because they don't match with what Party A is doing, or vice versa.
Then there is always the finger pointing exercise that we get into when communications don't work. Well, it's your fault, because you are not sending me a standard and vice versa. It would be nice to have a trusted third party to do that kind of compliance testing.
At the moment, the government feels that it is not our role to do that. This is a private sector implementation of standards that are developed in fact by the private sector, but only designated or adopted by the government. So we are working with several private sector organizations to help them or maybe encourage them to set up these trusted third parties for doing compliance testing.
There are a number of other infrastructure issues like that, that we are working on. They will bubble to the surface as the implementation process goes forward, but just that you know that those in fact are issues that need to be dealt with.
The issue of proprietary standards for medical coding or coding diagnoses and procedures and so on, is an issue that keeps coming up even though as we spoke last time, and as you recommended to us, we have decided that the standards for coding for diagnoses and procedures will continue to be the existing standards. So who can complain?
The existing standards -- of course this only goes through the implementation period of the year 2000, and our warning as put forward from this committee is that we should warn people that those standards are likely to change as we move to a new diagnostic standard in about the year 2001, and as we come up with some framework for doing a better job of procedure coding in the years 2002 and 2003. People are certainly worried about what is going to happen after the year 2000, and those issues will certainly come up and need to be discussed, even though the proposed rules that we will produce won't address those particular issues.
There has been some flap throughout the industry about an interpretation of the law that says that these standards are voluntary. We have it on good authority, and we have our legal opinion that backs up the good authority from Congress that these standards are not voluntary. If you do transmission of these specified transactions electronically, then they must be in the standard form.
Payers and clearinghouses are required to implement these standards in the electronic environment. It is only providers that have an option. They have the option of either using paper, or if they do it electronically, of using the standards, and that is the only option.
So we bring that out just to make sure that everybody understands that that's what the HHS position is; that's what the legal position is; and that's what the feedback we have had from the people in Congress feel it was supposed to be, particularly since they put penalties in there for not meeting the standards, it didn't make any sense to anybody that these would be interpreted by anybody as being voluntary.
I think it comes from the fact that the standards had been devised as voluntary at one point in their evolution through the sausage making process of making a law in Congress, but the final product was not a voluntary standard.
There are some specific issues that have come up that we will be trying to address. One of them of course is this universal health identifier, which we will be talking more in the subcommittee meetings today. I don't think I need to say any more about that, except that it is a significant issue, particularly with respect to the privacy community. So we will talk some more about that in our subcommittee meetings.
We have found some feedback from people like the state Medicaid communities and the public health communities that they are doing claims for certain transactions like mass immunizations in a sense. If you go to a school and you immunize 147 kids, they are not submitting these claims for the cost of doing that on a standard format. So we are trying to negotiate with them, some mechanism that they can still do that electronically without violating the standard.
There is also an issue with a couple of these transaction standards which are not only used in the health care industry, but also used by other industries. The first report of injury transaction for example, and the premium payment transaction are used by other industries than health care. So we are having to be very careful about the language that specifies the health care implementation guide for those transactions being the standard that we are specifying.
Other industries that want to use a different implementation guide for those same transactions can still do that without interfering with the standards that are being set up for the health care industry.
As you know, there have also been some complaints about the 24 month legal time frame. Once the standards are adopted, the industry has only 24 months to actually implement those and comply with the law, except for small plans, which are being defined as plans with 50 or fewer participants that are maintained by the employer that actually instituted the plan for its employees. They have an extra year, but everyone else has to do it within 24 months.
Particularly with respect to the claim that is with the claim standard, because it is thought to be the most complex and difficult to implement, people are worried that 24 months is not enough time. We are exploring mechanisms for extending that period of time for providers only in the case that the implementation does not procedure rapidly enough within the two year time frame, and they need some extra time to actually implement.
We are going to try to do it on a "we'll do this if implementation goes slowly" basis, rather looking to Congress for an exception to the two year implementation time frame. We are getting much encouragement from some parts of the industry to go ahead and just do it in the two years, but we want to be a little bit flexible. We don't want parts of the industry to be financially destroyed by sticking too rigorously to arbitrary deadlines. So we are going to watch the implementation process and be prepared with some mechanisms that will allow a little flexibility for providers.
Speaking of flexibility, another comment about these standards is that they are not flexible enough. In investigating that, we find that what they mean is that it takes too long for a business need that is expressed in the voluntary standard setting process to show up in a standard. Now we are adding a governmental, bureaucratic process on top of what was already a slow and ponderous private sector process for adopting standards.
So we are working very closely with the major standard setting organizations to find a way to speed that up and make sure that it is in fact responsive to the business needs of the community, and flexible enough to stand the test.
That pretty much sums up the major issues that we are looking at dealing with, and the ways that we are dealing with it. I don't think I need to go any further with that unless there are questions from the committee.
DR. DETMER: Questions or comments for Bill? At this point we'll be getting in a little later for further conversation on this, and we'll touch on a number of these issues.
DR. ZUBELDIA: Has the issue of the version of the standard been addressed, where I believe the letter recommended version 3070, and X12 is now saying to go with 4010 instead?
DR. BRAITHWAITE: We are looking at ways of designating the version which is not actually in the regulation, but is tied to the implementation guides that are current. So whatever version of those implementation guides is current at the time of the issuance of these final rules in February, will probably be the ones that turn out to be the standard as designated.
DR. DETMER: This is on the Internet today, so if you wouldn't mind identifying yourself so that people that are listening.
DR. ZUBELDIA: Kepa Zubeldia with Envoy NEIC.
DR. DETMER: Other questions or comments?
DR. MC DONALD: I recently had the pleasure of working with a group of implementers with attachments of X12 and insurance companies and payers. I had a huge education about how complex and extensive what we call billing is. I frankly think that most of -- I didn't know -- I think about billing as the price to charge three or four fields, and that is it. This stuff goes on and on, and it includes such things as the hemoglobin for erythropoiesis and creatine levels. It goes on to a whole series of general fields for sending in general lab results for end stage renal disease.
Further, there is a lot of ugliness down at the low level of how these things are constructed and defined, at least in my opinion. I guess what I had hoped was going to come out of this activity -- there are redundancies. They ask the same thing two or three different ways; at least it looks like that.
Whether there is ever going to be a chance to clean it up, it seems like not, as I read how we firm up. Some of the definitions in some of these documents say how our goal is to preserve what is, exactly as it is, and so this is kind of scarier than it was when we started a year ago to me.
DR. DETMER: Clem, I don't know. The way I look at this, and I guess we will have to pursue this, but I see that our charge is also to track implementation. I guess what that means to me is that is just not to track it so that we can throw up our arms and say isn't this awful, but also try to respond where in fact it seems sensible.
So at least that's certainly the way I see our role, but again, that's also not simple, but I'm just saying I don't think that this is something that we have no capacity to continue to hopefully help evolve responsibly.
DR. MC DONALD: I wasn't really thinking of our particular organization. I just think about the physics of this nationwide. There is just tons.
DR. DETMER: No, I understand. I mean I'm not sure I understand all of what you are saying, but I think the general point I track on.
MR. MAYES: Bob Mayes. I co-chair the infrastructure implementation team.
Clem, that is a real important issue. Bill brought it up in a couple of different contexts, because it is one that we are acutely aware of, and actually trying to come up with a broad enough resolution so that it addresses it. Obviously, one of the issues is the master data dictionary concept. We are beginning to think that we need to take a fairly formal approach to that, and one that in fact is by design, expandable; sort of a registry-type approach.
The other part of that goes to part of this issue of responsibility; the infrastructure issue as to how we structure who does what. One of the things that we as a group are certainly trying to look at is how to parcel out - - I mean there is responsibility for maintaining the structure, i.e., the dictionary; where it might reside or whatever. In terms of maintaining the content or developing these various data registries that would then be put together, obviously there are appropriate groups, and it is not going to be a single group.
So we share your concern, if you will, about this. We are beginning to see that this is really a very fundamental issue. Certainly, as the committee moves forward to examine the broader computer-based health record and the standards that you are charged with coming up with recommendations, this becomes a really critical issue.
So we are very open for input, because we do realize that it is not just a single paragraph worth of resolution; oh, we put a dictionary together and we are done with it.
DR. DETMER: Bill?
DR. BRAITHWAITE: Clem, I should also point out that this is not a one shot deal. It's not a "here's the standard, and it is there forever." The law allows and maybe provokes the secretary to re-issue the standard every year on an annual basis. We have some standards that we haven't gotten to yet, like attachments.
It seems to me that the standards that we set now have to deal with the issue of making sure that the same standard is used by everybody in the country as the first time when that has happened, then we can gradually evolve that into something that is, let's say, cleaner or prettier, particularly as we add the standards for attachments, where some of these kinds of clinical things that have been added for various purposes probably really belong, and then the claim transaction itself can be cleaner when attachments are more of a standard way that people communicate.
So I see it in an evolutionary way of trying first to make it a national standard, and then sort of cleaning it up and making it more rational over time.
DR. DETMER: One last brief question or comment, and then we are going to move on to the other presentations.
MR. KLEIN: Thank you. My name is Jim Klein with EDS, and I just wanted to express a potential consideration if there is going to be some possibility of delaying providers' compliance. That is, all of the people that are engaged in administrative transactions will be required in that case to continue to provide or duplicate their dual standards if you will, in terms of systems cost; in terms of infrastructure; in terms of communications, et cetera.
It is my understanding that there were some assumptions made when this bill was passed in terms of savings. My concern is that would potentially erode that.
DR. DETMER: Okay, did you want to speak? Please.
MR. SCANLON: John Fanning will be joining us tomorrow morning to update us on the privacy recommendations, but let me give you a brief report this morning in terms of process.
You will recall that HIPAA requires the secretary to send detailed recommendations for individually identifiable health information to Congress just about at this time. The recommendations are more or less finished, and they are in the final stages of departmental and OMB clearance. The secretary will probably be releasing the recommendations when she testifies on Thursday before the Senate Labor/Human Resources Committee at about 11:00 a.m.
So I don't think the recommendations will be available before then, but when they are released Thursday, we will have them available for the committee, and we'll put them up on our HHS Web site.
The hearings I think, and the recommendations of this committee were very helpful. I think Dave will talk about this tomorrow, and John as well. The secretary is scheduled on Thursday to release the privacy recommendations.
You will recall also that the secretary gave an address on privacy to the National Press Club towards the end of July, that outlined a number of principles that would form the basis and framework for privacy recommendations as well.
So that is kind of where things stand, but hopefully by Thursday they will be available.
DR. DETMER: Her speech I thought, was really excellent.
Are there other comments or questions on privacy? It is too bad that just the dates are such that we didn't have the benefit of that Thursday, but obviously we will be tracking it, and we'll look forward to hearing from John tomorrow as well.
Also, my understanding was that our work was in fact quite timely and useful to her, and I thank everybody for their efforts in that regard, because I our staying to schedule really did help the flow of this.
Bill, I guess you really talked about the data standards component pretty much in your earlier comments. Let's move on then to approving our minutes. We will hear from, as you heard, John Fanning tomorrow. Let's move on at this point.
MS. GREENBERG: Actually, the minutes are included under Tab F. They are still in draft. They have not been sent to the speakers, et cetera. You also will be receiving them for comment. This is the June minutes.
DR. DETMER: So we should take this really not for action, but comment today?
MS. GREENBERG: Yes.
DR. DETMER: Okay. I have one correction on 30. It's just where I said, "Not let the founder." I think it's flounder, was really what I had in mind. It's a fishy suggestion.
Do others have any comments? Yes, Simon?
DR. COHN: I actually just wanted to compliment Marjorie and the staff for the development of the minutes this time. I thought the executive summary with the action items was very, very helpful to everyone involved. So I would like to congratulate you.
DR. DETMER: Well, this is what we were wanting, and I think it is at least what I intended, and it sounds like others agree.
Any other content or general comments?
Let's have some discussion. We sent our first puffs of white smoke up after the June meeting in terms of the recommendations on some issues. Dr. Braithwaite made some comments. I would be interested in just having a little discussion on what some of you feel we have learned or heard in reaction to that. Obviously these things will carry forward in our subcommittee discussions, but I think it would be interesting to get some discussion at this point.
So I don't know who wants to pipe up, but I would be interested in hearing a little discussion about that.
Elizabeth?
MS. WARD: I'll certainly say in Washington they were received with this makes sense, looks good. I went to several activities there, and there was just positive response.
DR. DETMER: Okay, great. Others?
I guess my own sense again was, what was there was seen as reasonable. I think there were some people that had hoped in some instances to see a little more. On the other hand, I think obviously we needed to get some things out, and we continued to do more. So that's I guess, the kind of response that I got. On the other hand, considering that what we did was clearly taking into consideration an awful lot of comment that we heard, and was a responsible start.
Barbara?
DR. STARFIELD: Actually, I wasn't sure that the confidentiality aspects of data were really discussed out really thoroughly in this committee. I'm not thinking of this necessarily in terms of our recommendations, but in terms of our understanding of the issues and preparing for the future with the computerized patient record.
I mean we really didn't talk about who has access to data, having just had an experience in outpatient visit in my famous hospital. I think there are issues there that we really need to discuss.
DR. DETMER: Okay. Other comments?
MR. SCANLON: Don, in some of the letters that HHS received based on the recommendations of the National Committee, they are pretty much laudatory. In terms of the standards, apparently there is a fair amount of consensus on the standards per se. In terms of the correspondence we have received, the comments raised issues such as the time frame, the process for determining content in future standards.
What else, Bill? I guess the overall vocabulary issue. There is a lot of very laudatory advice for the department in terms of the standards themselves.
In terms of privacy, people seem to be reading into the report what they may. You remember the report was quite specific about some recommendations, and in other areas more or less recognized the two sides of the issue. So in terms of the comments that have come in so far to the department, it is sort of people identifying one or two or three specific areas where they see they can read it one way or the other, but I think the department really found this very helpful.
DR. DETMER: I think it would be useful -- I don't know if everybody did get copies of the letters that came in to us. Did you all get those or not? I think it would be useful. I was impressed with the detail with which they went through. Some of the organizations that wrote in went through literally every item. I think that would be useful to the committee if they haven't gotten them.
Richard?
Any further comment on that? So I don't think we will take our break yet. Let's move on and start having our discussion on some of the proposed recommendations on the health data security standards item. The concept was we were going to start getting this out on the table today, with the understanding that after the subcommittee work and the session tomorrow, we hopefully would be ready for action.
So Dr. Lumpkin is that fair? Are you prepared to speak to this?
[Discussion of the passing out of various paperwork.]
DR. DETMER: All right, let's do this. While we are getting these copies put around, why don't we move forward on the next item, and them we'll take a break, and then we'll come when we are more secure about security, and we'll talk about it.
So is that okay, Dr. Iezzoni?
DR. IEZZONI: As folks heard at the June meeting, in the first week in July OMB came out with their recommendations having to do with categorizing race and ethnicity, what was colloquially called Directive 15.
We asked Hortensia Amaro, who graciously agreed to do so, to prepare the draft of the letter that will hopefully go out under Don's signature. Let me just say that this is like a STAT action item, because this response will be literally faxed to OMB. It is due today. So apparently we have an electronic version of the letter with us, so if people have any specific comments, hopefully we can get it done.
Hortensia, the copy that was in our agenda books was old. So would you mind just walking us through the new copy, and telling us a little bit about it?
DR. STARFIELD: Yes, please, could you identify where the changes have been made, because some of really read the letter that was in the book, and I would like to know where the changes were made?
DR. AMARO: The changes that were made were as a result of input that we received from individuals who have been looking at this issue for a while. We particularly tried to take into consideration David Williams' comments. Overall, we felt that the recommendations really are good ones. That they move forward some of the issues that have been under discussion for a while by different groups.
We did have some concerns that we wanted to express before going on to commenting on each of the recommendations. So the third paragraph has some changes in it which basically pertain to the continuing need to still clarify the underlying concepts of race and ethnicity. The sense among some committee members that these are what are called often race categories, are really ethnic categories. In some cases, such as Hispanic, it is called an ethnic category, but why wouldn't we call Asian also an ethnic category, since there are so many groups under that? Similarly, for other groups currently called race.
This is a pretty complex issue, because it would really take looking at what might be ways of totally reconstructing the way we conceptualize and measure race and ethnicity. So we wanted to just acknowledge that it's an issue that needs to continue to be looked at, but agreed that in terms of the practicality of trying to do that now, it would not be very feasible. So then we went on to comment on each of the recommendations that were put forth. So that was sort of an introduction statement that was added there.
DR. DETMER: I think that is really quite appropriate. I think of the things that we talk about, probably of all the documents, this may look in a sense 50 years from now or 100, the most peculiar or whatever. Clearly, we obviously as a culture are evolving it.
DR. AMARO: The recommendation 6.11 really I think didn't change at all. That is regarding reporting more than race. That stays the same, in which people will be able to select one or more.
The major issues we pointed out here are really going to be around tabulation and reconciling the new way of collecting data with the way it has been collected in the past. So we had some recommendations for continued involvement in that activity that we feel is very important, especially as it pertains as to how it will impact health data.
The recommendations put out by OMB didn't always identify how this tabulation was going to be done. There were some ideas, but it needs a lot more work. We suggested that this group should continue to be involved, and provide our assistance and support.
The 6.12, the change is that we changed mostly our tone here from saying that we didn't agree with it, to that we agreed with it, although we acknowledge that this is with a combined race and Hispanic ethnicity question. I think the primary concern that we had is that having two reporting formats, one with one question, and another one with two questions when information is reported by proxy, presents some problems in reconciling race and ethnicity data that still has to be worked out.
So we tried to stress that in the case of health data we should really try and have consistency as much as possible, whenever that is feasible. We made some suggestions there about continuing to work on this, in addition to again supporting and suggesting stronger language on whenever possible, collecting more detailed information on subgroups such as Asian-Pacific Islander subgroups and Hispanic subgroups, for example, since we know that there are important health differences within those groups that are often hidden or misrepresented when you combine them under the large category.
DR. STARFIELD: Can I just ask a question about that? When I read the original draft -- I haven't read this one yet -- is have you made a recommendation in terms of multiple ethnicity? Is there such a thing as multiple ethnicity? It seems to me there is. Mixed ethnicity? I just couldn't identify it. Is it there?
DR. AMARO: I don't think.
DR. STARFIELD: I mean like multiple race.
DR. AMARO: That's in the first item, recommendations that people are able to check off as many boxes as are relevant for them, but I don't think there was a recommendation around multiple ethnicities.
DR. STARFIELD: Shouldn't there be?
DR. AMARO: Although if people are able to check off multiple race, they should be able to check Hispanic, as well as under the races, whatever is relevant for them.
Was there a change to the recommendation to that?
DR. STARFIELD: I don't really know, but it seems to me that that might be a recommendation we might make.
DR. AMARO: Okay, we can try and think of a way to work that in. I'm trying to think; right now people would be able to check -- and help me, if you can think about this with me -- people could check right now under multiple races. So they could say Asian-Pacific Islander, et cetera. I think they could write in if they had, for example, Asia- Pacific Islander, several groups.
DR. SCHWARTZ: If there were a check, all that applies with respect to races, then they could, however, in 6.11, the comment is made in the latest draft that labeling these categories as races is inappropriate. The suggestion is made to label them as ethnicities, I would assume. So thereby if that recommendation is taken, it would seem to me that the multiple categories and check all that apply, would be applied to ethnicities as opposed to races, if that recommendation were taken.
DR. IEZZONI: Actually, I don't think we go to the extent, Dr. Schwartz, of suggesting that they change the language here, because we think that more research is needed.
But to address Dr. Starfield's comment, we agree; people ought to be able to check off more than one ethnicity, but the way that the OMB has currently constructed their recommendations, that's not feasible. So what we do our third and fourth paragraph here is to say we want people to begin to research the issues of looking at ethnicity in a more detailed way under the broad what they call racial categories.
Presumably if we move to a point where we can get more information on specific ethnicities, then yes, we would probably recommend that people be able to check off multiple ethnicities. Right now, all we have is Hispanic origin as an ethnicity.
DR. DETMER: Jim and then Vince.
MR. SCANLON: A follow-up on Lisa's point, Barbara. The only ethnicity that is included in the standards is Hispanic or not Hispanic. The rest are considered race categories. I guess this is the other issue. The Census Bureau does ask in the decennial census for other ethnic backgrounds and heritages. There I believe you can check more than one.
The issue here, how the Census tabulates information will be equally crucial. There are no tabulation guidelines given here in the OMB recommendation, so how Census and others actually tabulate these multiple entries will be critical for denominators and other purposes.
DR. STARFIELD: The question of Hispanic is not so to speak, black and white.
DR. MOR: I just was going to say as soon as you begin to move outside of the very limited rule of Hispanic as an ethnic category, then we have to really totally rethink the way in which these laundry lists are constructed. I actually think having a preface saying this is an important thing to consider in the future is the right strategy, because you just have to be able to continue with the structure now.
The research on the multiple racial category coding is reasonably convincing, but no one has yet done that on the other side on all of these other multiplicity of ethnicities, whatever those might mean.
DR. AMARO: Then there were questions about 6.14, which is pretty straightforward; placing the Hispanic origin question before the race question, and the data in the studies done pretty much support that.
The next two are adding Cape Verde(?) as an ethnic category, and adding Arab-Middle Eastern as an ethnic category. When we discussed this in our subcommittee, we all agreed that it was important for states, especially with significant numbers of individuals from these populations, to gather this information, but that there is a need to develop some criteria for cut point of which groups, when, under what conditions are going to be included before the format starts to be changed.
So we recommended that states be encouraged with populations where this is relevant, to collect this data, but that there be some work done to try and develop some kind of criteria if we are going to move beyond the original categories, so that there is some thought put into it, and it is done in some kind of systematic way.
Really I think most of the other ones pertain to changing terminology; like 6.18 is changing. It was a recommendation regarding the term "American Indian," changing that to "Native American." The recommendation was not to change that. There was research presented that supported that. So it seemed to be convincing and we agreed with it.
With recommendation 6.19, regarding the term "Hawaiian," to "Native Hawaiian," it seemed that the term "Native Hawaiian," more clearly communicated to individuals what that category meant. It didn't just mean being born in Hawaii, so that seemed to be convincing and we supported that.
Recommendation 6.10 considered the classification of Hawaiians perhaps being moved to being considered in the Native American category. The evidence from public testimony and other studies that were presented seem to be supportive that it should continue to be classified into Asian or Pacific Islander categories.
The 6.11 was really again referring to a change in terminology, considering changing Alaska Native; using that to replace Alaskan Native.
Recommendation 6.12 was to classify South and Central American Indians as American Indians. I think that there was some discussion that if American Indians above the U.S. border and Canada were included in that category, why shouldn't the ones below the U.S. border be included, and that it seemed to make sense. We did recommend that the impact of this be studied, because there was not much information provided in what the potential impact of what that would be.
Recommendation 6.13 suggests that the name of the Black category should also be changed to Black or African American. The idea is to include as many terms as would help people identify with that category, and clarify who goes into that category. Again, here we tried to emphasize the need to collect information for subgroups. Since that category is so broad and includes so many different groups, and we know that from the perspective of health, those subgroups look very different.
Similarly, the term to be used for Hispanic, it was suggested that Latino or Spanish origin be used if it is appropriate in a specific state, and we agreed with that under the principle of individual dignity, which they cite at the beginning as one of the principles under which they proceeded to do their work, basically using terms the population identifies with.
So overall, those are the major ones. I think really the most complex ones are the ones at the beginning. There is still a lot of work to be done. I think the committee really needs to stay active. There are a lot of implications for health data that we don't quite understand yet, and we should continue to keep our eye and have an opportunity to comment on this, especially the tabulation procedures that are developed.
DR. DETMER: Thank you very much.
Additional discussion and comment? John?
DR. LUMPKIN: I appreciate the work of the committee, and I think it's very important that we comment on this. I'm kind of troubled by two issues, one which is perhaps more superficial and personal, is I never can figure out how to classify myself. I'm not sure that this category change has helped me all that much, when my mother, who is of Russian Jewish extraction, my father is African American, and I have great-great grandparent who is Cherokee. How do I mark this?
DR. AMARO: Well, actually it does help you.
DR. LUMPKIN: We've actually made it a progress, because now I get to check all of the above.
But a more fundamental question, which I haven't heard discussion, and maybe this occurred in the committee really draws upon our conclusions of why we do this. As far as I have been able to ascertain, racial characteristics are not scientific designations, but in fact are political and social designations, which are of significance in this country because of the impact that they have upon many of the life choices that people have.
So as such, I think it's important for us to keep in front of us why we are doing, because much of our ability to track what is happening to individuals in this country and their health is very important, and these designations can be useful in trying to identify groups who are at particularly high risk. That really has been one of the major focuses of epidemiology.
Sometimes the changes in the political climate in this country impact health of certain subgroups. So I think what we have done, particularly looking at do we get the appropriate reporting is a very good approach, and I would like to urge us to continue to do that, but we do need to periodically continue to ask ourselves why are we making these classifications and do they meet the need of the answer to that question why.
DR. DETMER: Yes, I agree. You said in a much more eloquent, expanded fashion kind of what I was trying to underline in my comment, because I really do think that this is going to get much more serious discussion in a way in which it may be a little fresh and new in our culture. I think to underline it is a very appropriate comment.
DR. COHN: I first of all want to thank the subcommittee for what I think is overall good work. I want to say that in the new draft I was particularly taken by the third paragraph, which I think really brought the issue I think Dr. Lumpkin was beginning to discuss to focus.
I think the only question I would have about this draft is just a question about the draft itself. Then I have a process comment to make. There seems to be no follow through to that comment through the rest of the set of recommendations in the sense that there are reservations discussed about this whole issues, and at the end we have a summary where we say we basically agree with what they did.
I just was wondering as I looked at this, that I found myself somewhat convinced by some of the introductory comments, and yet saw no follow through in the rest of draft.
DR. IEZZONI: I think, Hortensia, that we should return to some of the comments in paragraph three at the very end. I agree, just to underscore.
DR. COHN: Now, can I make one process comment? I think this is very good, and especially with that, it will become a wonderful letter. I just a comment just generally about this and other new versions of things that we see. Certainly the committee has gone through a number of drafts of a number of items over the last couple of months.
Just as one who reads the drafts as they come through, I know I probably speak for the entire committee that seeing revision changes that occur with each draft -- and once again, this is not specific to this, but probably brought out because this is the first one we have seen today, and certainly not the last -- it would be for me, very useful to be able to identify and have marks on these drafts that show changes from version to version. I see other committee members going yes.
There have been a number of other documents we have received; this is not the only one that we will see over the next day and a half that this applies to.
DR. DETMER: I don't see any reason we can't do that.
DR. MOR: All of us would have to be using the same kind of software in order to have -- by e-mail -- in order to have the mark-up and change versions communicated in that way.
DR. DETMER: Unless you switch to different language.
DR. LUMPKIN: What we do in our statutory language in Illinois is that you put the new changes in a different type face, maybe all in caps. There is a convention that I think we can work that will transcend word processors that will allow us to do that. I think technically it may be complex, but once we decide --
DR. DETMER: Okay, that's good.
DR. IEZZONI: However, I would like to just comment, Dr. Cohn, that Hortensia gave up her vacation to do this. I would just like the committee to really recognize all the hard work that she did at the very last moment. [Applause.]
DR. STARFIELD: I concur, I think this has raised all the important issues, but I want to make sure I understand what the changes are from the previous draft. I really can identify only one. It's the change from just the American Indian; it is now to allow American Indian and Native American. That is the only change you have actually made in the recommendation from the August 11th? Is that right? I can spot any others.
DR. AMARO: I'm sorry, from the last draft?
DR. STARFIELD: From 6.12, the last draft said we concur, but now this draft, September 8th says it should be either American Indian or Native American.
DR. DETMER: It's 6.1.12, page 8.
DR. STARFIELD: Yes, 6.1.12 in the August version I think -- maybe that isn't right.
DR. AMARO: That one didn't change.
DR. STARFIELD: That one didn't change?
DR. AMARO: No.
DR. STARFIELD: Oh, sorry.
DR. AMARO: I can briefly go over what changed, if it will help you again.
The only changes are the addition to the third paragraph about the whole concept of race and ethnicity; that it thought it was important to forward. Then on 6.12, we had in the previous draft started by saying that we disagreed. We basically made the same points, but we changed the tone to say we agreed with the recommendations, because we understood the limitations of having everything, all sources of data use the two question format. It is just not feasible for some sources to do that.
So after some discussion and understanding the issue a little bit more and the constraints, we changed the tone, still expressing our same concerns about problems that emerge in the data system when you have some sources with a one question format and other sources with a two question format. Really only the beginning of that recommendation changes in the manner that I have just stated.
DR. STARFIELD: Do I understand that correctly? The previous recommendation said it could be American Indian or Native American, but this one said, South and Central American Indian should be classified as American Indian. Can that also be Native American, consistent with the previous recommendations?
DR. AMARO: I'm sorry, which one are you referring to, 6.1?
DR. STARFIELD: Yes. One of the previous ones. The term 6.18 says that the term "American Indian" should not be changed, and our committee now is recommending that both terms, "American Indian" and "Native American" be used, 6.18. On 6.12 says that South and Central American Indians should be classified as American Indian. Could that be also Native American, consistent with the 6.18? Am I coming across? Six point one eight says you could use American Indian or Native American; 6.12 says South and Central American Indians should be American Indian. It doesn't give the possibility of either.
DR. AMARO: Maybe I should talk to you individually.
DR. STARFIELD: That actually is a change; 6.18 has been changed.
DR. BRAITHWAITE: I do understand you, Barbara, and I agree.
DR. DETMER: I think that what she is saying is American Indian or Native American. So if you added essentially or Native American at 6.1.12, you would take care of the inconsistency that otherwise is there. Is that it?
DR. STARFIELD: That's it. The way it is now the South and Central American Indians are treated differently.
DR. DETMER: Just as a comment, I think for the committee and also the people here today, often times these reports are in the process in the department, and come out with a very fast time line and so forth. We either hop on them when they come, or we let them go and we don't even have a chance to comment.
I frankly personally, despite the angst a little bit of trying to manage to it administratively, would rather see us weigh in every time we think this is something that is relevant, and is the public's business relative to vital and health statistics. So some of our non-linearity at times, at least I'm willing as chair to tolerate just so that we make sure that we weigh in on things in the process of the government's work.
I just feel like I need to make that comment. It does interrupt vacations, and I'm proud that people are willing to deal with that in that kind of a way, but I think it may be worth making a comment.
I think if I hear you, Barbara, if we could make that change, and maybe add a little more language at the end, we could probably not see this again, and we would be able to trust the committee and me to deal with that and send it on because of the time line.
So there a motion to that extent?
DR. LUMPKIN: So moved.
[The motion was duly seconded.]
DR. DETMER: Is there any further discussion? All in favor say, aye. Opposed? Abstentions?
[Whereupon the motion was passed.]
Thank you very much.
Why don't we take a 15 minute break, and we will then resume. You can read the security letter while we are breaking if you wish.
[Brief recess.]
DR. DETMER: I'd like to call us back to order, and call on Dr. Lumpkin, please.
DR. LUMPKIN: I would like to start off by saying I feel secure in being able to make this report. All of you have in front of you a draft. I'll say that this is something that we will discuss. This is a draft that is going to the committee, but because of the time frames, I did want to let everyone have a peak at it before our meeting this afternoon. So if there are comments that you would like the subcommittee work group or whatever it is that we are meeting this afternoon to hear, this would be a good time.
We had a hearing in August -- it seems like it was two months ago; it has been a real busy time -- which I found to be fascinating and disturbing. Fascinating in the sense that there is certainly a tremendous amount of technology that is available to assure the security of information systems.
We counterpoised security to privacy and confidentiality, and I think that's an important distinction to make. Obviously, if you don't have a secure system, you can't have a system that protects confidentiality and privacy, but if you do have a concept of privacy and confidentiality, then part of the mechanism is to assure that people don't access the system inappropriately.
We heard testimony from one vendor who commented on the fact that one of the things he does before he goes in, he sort of makes I guess not a wager, but a claim that he can go into any health care institution in this country and walk out with ten charts of patients, the paper records. He says that he can do it on demand, and based upon my experience in medical institutions, I have no doubt that he can.
So that in some ways we have to look at the new electronic age as a potential that if it is implemented correctly to significantly enhance the poor state of security that exists with the current paper system. So while it increases the public's concern about security, I think it potentially adds to our ability to implement security.
We heard a lot of discussions, very disturbing, about how there are many systems that are available, but because there is a lack of uniformity in security approaches, it is often very expensive. Many vendors will present to the purchasers of information systems, yes, we can do security, but it is going to cost you a lot more. That isn't necessarily, from what we heard of the testimony, the case if security is thought of early on in the process of developing the systems, and is built in from the beginning.
We heard testimony about the report on the National Research Council for the record, protecting electronic health information. Many of our recommendations were reflected and based upon that report.
You have before you the letter. I won't read it, but essentially to say that we did have some presentations. It was fairly clear to us at the hearing that while there existed some standards on security, that none of these standards were being implemented. So we do not come forward with this recommendation being a particular standard on security, but that we do recommend that we do a phase in approach.
I think the initial phase to have some impact in industry is to say what we expect the security systems. Then working with the standard development organizations, when we think these standards are a little bit more mature, I think it would be appropriate for us to make recommendations to the secretary of adopting a specific standard. So this recommendation would not have a specific standard to present before you.
DR. DETMER: So essentially it's a review of the sets of principles, and then stay tuned? Is that what you are sort of saying?
DR. LUMPKIN: Yes.
DR. DETMER: As you will recall, I think for some of the folks in the audience, we had dealt with the privacy/confidentiality and some of the administrative standards requirements first, and then had these hearings. So this is actually our first major step into the security relative to the HIPAA requirements.
Kathleen?
MS. FRAWLEY: To follow from John's comments, at this hearing we had 25 witnesses. It was the only hearing we actually had consensus, because in the privacy and confidentiality hearings we certainly had anything but. Basically, the recommendations of most of the witnesses were that we needed to development a series of organizational and technical practices that the industry could adopt.
They needed to be scalable, because of the examples that we heard from witnesses is the solo practitioner, all the way up to the integrated health delivery system, and therefore one size will not fit all in this situation, and that there really wasn't one standard that would meet the industry's need.
So I actually thought it was a good hearing in the fact that we had a lot of consensus from witnesses, and that they were more often in agreement than disagreement, so I thought that was important.
DR. DETMER: Barbara?
DR. STARFIELD: I read this on the e-mail Friday night, right after I had finished reading the transcript, which was evidence of a hugely rich discussion. It was fascinating to read it for someone who hadn't been at the meeting.
I guess I sort of surprised at how short the letter was given the richness of the hearings, because there was a lot that came out that is known, and that could form the basis for standards. Yet there were a lot of questions about the implementation. It seemed to me that it would be more helpful to the secretary and the staff to know which are the areas where there is pretty much consensus on, and where it is not being implemented, and what are the remaining areas that need to be worked on.
DR. DETMER: Reactions?
DR. COHN: Actually, I was not going to directly respond to your comment.
DR. DETMER: I am interested in your reactions.
DR. LUMPKIN: I think one of the things we can do at the committee meeting is look at those particular areas, and then add some things to the letter.
DR. DETMER: I think it is wise, just in terms of even what is authentication. There is a lot of definition of terms, as well as other things.
DR. MOR: I was going to say the same thing. Just looking at this, I don't know what half of these things mean. I had the benefit of sitting there for two days and listening to it.
DR. DETMER: Now do you know what it means?
DR. MOR: Well, I'm not sure.
DR. DETMER: Other comments?
DR. COHN: I am actually very comfortable with most of the recommendations that we have made. I am somewhat familiar, after sitting through two days of the security hearings. Once again, I'm sure we will be talking about this, this afternoon in the subcommittee, but somehow there is a relationship obviously between privacy, confidentiality and security. It is obviously hard to talk about security standards when you don't have national agreement or recommendations or implementation of those recommendations on the national level.
I suspect that privacy and confidentiality legislation and regulation by the secretary may drive this further. Having said that, I think we need to make a note of that, but obviously it is hard to proceed further on that without that other shoe dropping basically.
DR. DETMER: Other comments? The purpose of this part is to give the subcommittee some input, so that when they meet, they come back tomorrow with something we would hopefully be able to sign off on.
I'm curious about just time lines. Maybe you are not going to speak to that at this point. It sounds like you are not, but at what point do you think these kinds of things might achievable? As you said, there is phenomenal variation and variability, but is there sense even when the committee -- do you have any idea when we're even going to be maybe wanting to come back more specifically?
We're saying accept these principles and move along with these considerations and configurations, practices, but what other things have you done about just sort of next steps I guess beyond this?
MR. MOORE: This is Bob Moore.
One of the things that was discussed, and one of the positions that we are taking in developing the regulations for security is that there are a lot of products that can do all of these things. Rather than naming a specific product as being the standard, we are saying that there can be many standards, as long as they all perform these functions or meet this criteria at a reasonable level.
So that we're not making the choice as to which product or which security system out there can be used. I think it takes us some time before we can wrestle with that, but we need to come out with something now, and say here are the things that any security system must encompass and contain in order to meet the minimum requirements.
DR. DETMER: What I guess might be useful perhaps is how mature or immature -- you say there are a variety of systems. From what I see and know, there is a lot of concern of the cost of these, the issue of size of your entity, and how much security you can put in, and those sorts of things.
So I agree, from what I know at least, there seems to be quite a bit of consensus. I think that the NRC report really was very useful in terms of kind of laying this out. I guess the question is, how forcefully do we believe that these can be acted upon in terms of technology and so forth? I'm just wanting to know, so what? We recommend these, but what happens?
MS. FRAWLEY: Well, most of these are organizational practices. Very few of them are technical practices. One of the things that the systems developers and the vendors who testified encouraged us not to get very specific in terms of the technology, because it is changing so rapidly.
We had a great presentation from PGP on their encryption technology. So just the way the systems are changing and developing so quickly, what the vendors and the systems developers, plus industry representatives thought was very helpful was to have a baseline, so that people kind of knew what the ground rules were.
Because right now many of the vendors testified that most organizations really haven't come up with an organizational strategy on security, and then of course are kind of looking to the vendors for some guidance. So they felt it was very helpful for the committee to lay out a framework that people could begin to move towards.
DR. DETMER: You used the word "must." I see it as not being wishy-washy. I'm not trying to give that sense, I'm just asking.
DR. LUMPKIN: I think the difficult of this is part of our job is significantly different than what we have done before. The reason why it is different is because it impacts what individual providers do, and groups of providers.
We can certainly through various recommendations and looking at encryption and transaction standards, protect the security of the data in motion from one location to another. This really has a lot to do with the data at rest, where it is inside an institution.
My take on this, and I'll tell you what I did when I came back was in our agency, I talked to two groups of people. One is I talked to our data processing. I set up a meeting to have them do a presentation on security within the agency of the various databases that we have, and ought to be protecting.
The second is to meet with our licensing and regulation group for health facilities, because the kinds of things that we want to see is that the organization has a plan. There are many types of technologies to get at how you track access. I'm not sure that we need to particularly say that we're going to approve one particular standard for that tracking of access in audit trails, as to say that what good does it do to have programs that do that if no one is looking at it, and no one is following through?
Has everyone who looked at this particular record really had a right to look at it? Those are the kinds of organizational practices for which I'm not sure that there are really good or applicable standards, nor do I see them in the future. I think it is a very important issue that we need to maintain some heat as a national committee, and I think our subcommittee ought to continue to do that.
DR. DETMER: Yes, it's interesting, I just was at the Advanced Integrated Information Systems grant consortium from the National Library of Medicine -- had a program Saturday on security systems. They swapped stories on all this.
I think what was very interesting was some academic health centers had programs looking very much at security systems for patient information. A couple of them had it looking at research subjects and confidentiality. A number of universities are starting to in fact adopt university-wide programs for e-mail and just security of I guess what I would say citizenship skills as well. There is a set of these issues that relate to what is an appropriate way to behave civilly in an electronic age as it relates to some of these issues as well.
I guess what I'm hearing you say, John, is that you came back from your meeting and called some meetings to sort of run the flag up and say, hey, we really need to start really looking at this, because these are the things we need to do.
I guess just to prolong my own comment on this, one thing that we might say is that we would urge all health care organizations to look at their current practices and procedures, and look at it broadly, as well as narrowly as it relates to some of that, plus keep in mind these principles as we did it.
Now that's not recommended technology or anything else, but it is making a recommendation that sort of says, hey, it's not just a matter of these things, but you ought to be about it. Maybe we shouldn't do that; I don't know. We are here having this discussion, so that's on the table.
MR. MAYES: This is Bob Mayes.
I think one way to characterize the discussions that went on in that meeting if I might is sort of a three tiered level. There were certainly presentations that addressed very specific technical capabilities in systems encryption; other types of things.
There was a second level of discussion, since many of these, if not most of the testifiers represented groups that deal with security across industries, are even not within health care, but rather within the defense industry or one of these, a number of them pointed out that there are actually structures which have been put forth. One of them was called the Orange Book. It's a K2 level.
This is actually a set of specifications which are published by for instance, the Defense Department, saying if you want to be certified as compliant to this level of security when you build a system, here is what you must include in that system.
Then there was yet a third level, and that was really a discussion of what are the issues unique in health care organizationally that would impact whether or not you are using a K2 level system or whether you are using that.
So I think the feeling was that in terms of the base technology, it is ever changing. It is changing rapidly. Health care by no means drives security technology. There are other sectors that have far more input and far more interest in this, and have historically.
At that second level, again, in terms of general security frameworks, at the level of how you implement the technology within a system, health care is not at the forefront; is not likely to be at the forefront. There are models that can be adopted for that sort of technology/system interface.
Where we need to address very specifically are the areas, what are domain specific in health care? What are the sort of organizational requirements? Why can one go into any hospital and walk out with ten medical records under their arm, or that sort of thing? So perhaps that's a way of kind of stratifying it, and looking at the areas that would be most fruitful for us to examine without reinventing the wheel, particularly since there are other groups that have invested far more into this than we have currently.
DR. DETMER: Others? John?
DR. LUMPKIN: I'd like to toss out a thought, just to see what the committee would think about this. While we are making this reference to K2, one of the things that came to mind is whether or not we should suggest that HCFA consider or at least open the discussion of having a condition of participation in relationship to security in the types of health care facilities that are certified under Medicare and Medicaid. That would put it into a real context. That may bring some of this into a much clearer focus.
DR. MOR: That is a very interesting suggestion, but one of the things I sort of began to think about when we were listening to the testimony was the differentiation not just in terms of the technical issues, but also the kind of data. The data in place, I think one could think of that data as both a paper issue, as well as an electronic issue.
Data in place is sort of in the provider's world. Data in motion is going from whatever the provider is using, to some other place, both internally within the organization, and externally. There is a lot of discussion about the lack of boundaries or the lack of specificity about what the boundaries are in health care organizations these days because of these immersed, vertically integrated or integrated systems, which makes the notion of motion and whether or not a health care system that is emerging actually has the capacity within its own framework to put a fire wall around other people, so that they can say their data are now at rest, rather than in motion. There is a whole different set of issues around that.
Then the other issue, which I haven't heard so far, but it was a discussion, was security in terms of data archiving; whether it is internal, no longer an active issue, although records might also be active, but once the data are archived, whether they are in data libraries or repositories or what have you, there are also other issues just related to security.
I think it may make sense in both the letter, as well as our deliberations over time, to think about these things slightly differently, because they have very different implications for even the way in which someone would write certification standards or guidelines around these kinds of issues.
With the number of corporations that are incorporating and swallowing one another up de facto or in actual practice, what constitutes the boundaries of health care organizations for the sharing of information in active versus in repository form is really a very important issue, and one that I think somehow or other should be addressed. It did come up during discussions at the hearings.
MS. WARD: I would just build on what John Lumpkin had said. I think we need to address we have in every other arena talked about what are the legislative actions that are going to occur, what are recommending, what are the regulatory actions? Then suddenly we leap to security and say it's all voluntary. That doesn't track for me.
So I think we do need to at least address that it perhaps does not make sense to have this one area that really sort of finally makes it feasible to be totally voluntary.
DR. DETMER: We're just starting into this, so I'm not saying we have to take the thing all in one fell swoop, but just to get into it I think is the issue.
Actually, what would be some of the implications as far as you -- just kind of a casual response?
[No reply is forthcoming.]
That's causal.
MR. MOORE: I don't know that I can give you a response right now about where -- we are not going to get into a great deal of specifics in the regulations. As far as the standards being voluntary, we don't look at them as being voluntary; that includes security. Although there are some sectors that say they are voluntary, that's how they read the law, our Office of General Counsel -- and we've had several debates at different levels over this about the voluntariness of these standards, when they do go in effect.
We are not in a position to mandate any specific security packages. We couldn't begin to meet the time frame if we tried to do that. So we are going to be very nonspecific when we go with it, regardless what the NCVHS will give to the secretary.
DR. DETMER: I think this is very useful. I really don't want people to hear me otherwise. I think this is very useful.
MS. FRAWLEY: We did have discussion at the hearings about the role of HCFA in terms of the conditions of participation, and also the Joint Commission and NCQA. The problem that we have is that having been on the NRC study committee, when you go out to organizations, they are all over the place.
You walk into some organizations; if you ask them are they auditing access, they look at you like, what are you talking about? Or something like authentication, it is just not comfortable language for people. So I think the learning curve on this issue is a lot different than some of the other areas that we have been looking at, because people have not done a good of this.
Our first panel basically said we're doing a bad job with paper, so before we jump in full scale electronically, we've got to really improve organizational practices. So it's not a matter of just buying a package.
DR. DETMER: I think that's exactly right. One of the questions and challenges for this committee is how can we best help raise this issue as really an issue, as much as the technology and all that.
MS. FRAWLEY: My only concern about surveyors and conditions of participation or whatever is that we don't even have people who are comfortable with what the requirements are. So to have them all the sudden be held to a standard --
MR. MOORE: We don't survey those facilities that often sometimes.
The other issue with security, and I would like to make sure the members are fully aware of this, is that in the law, security states that all health care information. It's not just referencing those ten transactions that are moving, because that was the concept that was described by Dr. Lumpkin that said we have data at rest, and we have data in motion. The security should apply to all health care information, and that includes paper in our opinion. So this really looks at more than just those ten transactions when we look at the security of it.
DR. BRAITHWAITE: I kind of agree that we can't set down in regulation, what technologies should be implemented to provide security for health information today, but we can add to the list of principles that is here in a sense, and we can specify the criteria, or at least take a first crack at specifying the criteria by which one would judge whether or not these principles have been met by a particular implementation.
Although that is a fair amount of work, if this committee doesn't provide some assistance in that direction, then I think the department is going to have to provide a first crack at those criteria in its regulations, because how else are you going to judge whether someone is complying or not?
It's along the lines of the NCQA kind of approach. If you don't have a set of criteria, then nobody understands what it is you want them to do. Even though you aren't saying exactly how to do it, you are putting some boundaries around it, and giving them some guidance, defining what things are, and what the boundaries are around the logical and reasonable ways to implement those principles. I think we should take a crack at that.
DR. DETMER: The letter might mention this would be in the work plan; that we would be continuing to look at as it were to move forward.
DR. SCHWARTZ: I was going to say something very similar to what Bill said. I think in a nutshell let me just add that it seems that what we're really focused on here is redefining perhaps the legal and ethical framework for health information privacy when physical boundaries disappear, and perhaps developing some criteria or guidelines of how to deal with security and health information privacy when there really aren't physical boundaries could be something the committee could work on.
DR. DETMER: It just brings to mind the comments of discussion about the prior item where we really talked about what this meant in values and culture. Something maybe just along the line of speaking to the issue of some of these value dimensions and civility, as well as the security kinds of things might help frame a little of that.
DR. LUMPKIN: I think that in some ways we have to look at this much as in an historical sense we look at the quality assurance movement. The initial requirements on institutions were that you have a quality assurance program. We have now progressed to the point where we actually have HEDIS measures and all these measures of actual quality.
Many of the things that we talk about doing can be monitored by survey staff who know nothing about security, but are there organizational practices in place? Is there a committee and are they meeting? Are they reviewing this? Is there a measure in place?
So I think that there are ways that we can, even though we are not as specific as we are in some of the other ones, to have measurable indication that something is being done, and that progress is being made. Then as time goes on, we can be more and more specific on actually it's good that you are doing the organizational practices, but are you actually protecting, and that's the next step.
MR. MAYES: I would just like to make one comment. Dr. Detmer, you had asked early in the discussion what sort of time line the committee was thinking about that. I would like to tie it to a comment that Dr. Lumpkin made that came out of the hearings. Please keep in mind that security is extremely expensive to retrofit, yet actually not very resource intensive if you build it into the initial design.
So the earlier or the more specific, at least the overall level of technical approach that this group could come out with, I think the better off we would be, rather than sort of wait and say, well, we'll deal with the generalities first, and get specific two years from now. At that point it will be very, very costly to try and force implementation.
Two years is a very long time in the systems development. If we start talking now, we can feel fairly comfortable that systems that will be being used at the time the implementation is required, will in fact be able to meet security standards put in place.
DR. COHN: I was going to comment that at the security hearings there was obviously a wide variety of speakers, with a wide variety of viewpoints. I can remember at least one speaker, however, very much long with what Bob Mayes commented on, asking for greater specificity and leadership from both the federal government and from the NCVHS regarding exactly what it meant to be secure. Saying that one of his organizational challenges was, yes, security is a great idea, but what does it really mean? If you just tell me, then I can go and do it, and I wouldn't have to hire a bunch of consultants. So it's something to keep in mind.
DR. MC DONALD: Just to remind ourselves of how little we know, there is a great book called "Wicked Problems, Righteous Solutions," and I'm kind of hearing it right here. What it really boils down to is talking about product development cycles. It says you can define wicked problems a number of ways. One of them is if there are a lot of humans involved. If you have humans involved, you never know what you are designing until you have designed it once or twice, then you have to do it over again.
There are humans involved in security. So I really worry about the idea that we are going to sit down and define some technical specs that are going to impose on an industry, and in two years everybody is going to be happy. It won't be happy. There is no system I have ever seen that has been developed in two years that has worked in two years if it has got humans involved.
DR. DETMER: Yes, I think that's really true. I think it is also true, however, that in the business of staying so active in all the things you do, there is a tendency to put the security off to the side. It is a question of how do you get it in that agenda, and in that play, and in that mix, so that it even is part of the agenda? It is in some places, no question, but I don't think it is significantly part of the agenda.
Now how is the best way to kind of roll that I think is what you folks have really been struggling with I think.
DR. MC DONALD: There are a number of things that have been done, and people know can be done. I think the safe thing is to start with the things we know sort of have been implemented and work, and not take giant leaps forward such that we're going to design this thing that won't work.
We've got landing systems in this country that were done this way. Let's face it, just because you can think it, doesn't mean you can make it work. I don't know how many years behind -- I don't want to name names, but there are systems that have been conceived and have been hard to make work.
DR. LUMPKIN: I think what we heard at the hearing was that in some sense the systems that are being designed are built upon operating systems that automatically do things that are useful for security, but because of what the customers asked for in the past, these things are not connected. That is where the cost is.
So really if you do it early -- we are not dealing with in a sense, rocket science, because the defense industry has been dealing with security. If I am a vendor of a platform, whether it be a programming language or an operating system, I'm going to build it to the most difficult denominator, which is can I sell it to the DOD, because they are the ones who have whole bunches of money.
So when they then use those same systems to write for the health industry, they tend to de-activate those components or ignore them. So I think that we can make a lot of progress just to say to folks we expect to have that available. Just that statement in and of itself will begin to set in motion a process that will heighten the level of security within health care systems.
MS. FRAWLEY: The other thing too is that two of the problems that we heard about which are significant is password control and access control. We have health care organizations where people do not have individual passwords known only to themselves.
The second problem that a lot of health care organizations are struggling with is whether their medical staff should have open access to all health information, or if they should have restricted privileges to only those patients that they are caring for. That is being played out every day in health care organizations who are struggling with what should I do. Of course the physicians think they should have access to everything, but then the problem becomes how do you monitor access, which is one of our principles.
Some of these are difficult, because as Clem points out, they involve people who don't necessarily want to hear, here's your four digit password, your PIN, and you can only have access to those patients you are presenting treating. Anything else will have to be approved by whatever mechanisms are in place.
Simple things like that I worry about, because I don't know that the committee can necessarily say, thou shalt do X, Y and Z. I mean I think we have got to have some flexibility that if an organization wants to take the liability, and say our staff can look at everything, and they want to assume that liability exposure, that's fine, but I don't think people are even thinking about financial loss, because there is very little documented financial loss in this area.
The banking industry can say, we lose dollars if we don't manage our systems well, but in health care it is more difficult. When we were on the NRC study committee, there were very few documented instances where we could look at the health care industry in terms of what their financial exposure was on security breaches.
DR. MC DONALD: Just to highlight, I think some things we can just do, and there are some that are easy, because they are known. One of them is to suggest that you have a password that only you know.
This business about the constraint isn't so much that everyone wants to look at everyone; it's that the organization can't tell who should. I know of a great example. I was at a hospital five years ago that had this very, very tight security; only your patients on your ward could you look at. Then on the top of each terminal is if you want to get in, use this password.
The reason was if a nurse gets shifted in the middle of the night to the second floor instead of the first floor, she can't take care of the patients. You can't often manage the stuff fast enough to really accommodate that information flow. That's the human part.
DR. DETMER: This will be going to the group for discussion, then coming back tomorrow. So are there other items just to put on the plate this morning before we move on?
MR. GELLMAN: I think I'm going to make the same point that has been made. This is a multi-faceted problem. You've got a baseline here, as Kathleen said, where lots of people have no security at all, and haven't thought about it. So one contribution is getting people to recognize that they need to have security.
Another contribution is identifying the elements of that security. Even at the level of this letter, that's a contribution, and then getting into the details of what all of those elements mean is something else. Then implementing all of this is something else, because you are dealing with the allocation of resources. You've got an existing structure with paper and computers and networks, all of which are different, and the problem of retrofitting that Bob Mayes talked about is a reality, and that goes to the issue of resources and timing and all of this.
So you've got a really complicated issue, and you've got to take a very long term perspective on this in terms of what you recommend and how you get to it, and when you tell people what to do. The problem Kathleen talked about, about people don't have any financial disclosure. When the banks have a security breach, they lose money. When a medical care facility has a security breach, it is somebody else who is affected by it. It is not the facilities, it is the patients who are affected by it.
Anyway, I just think that this thing has to be taken with a very long term perspective.
DR. DETMER: Maybe adding some of that kind of perspective would be useful. I guess that may be also what I'm trying to say.
MR. GELLMAN: You can't do everything at once, and the question is, how do you structure these issues in terms of what do we do first, what do we do next, and when do we do it. That may help structure some of what's already there.
DR. DETMER: This will be going to the group for discussion. Maybe you can make a comment to them at the time of that, because I think we need to move on. I want to make sure we have a chance to talk through -- we have an action item on our public education work group. So I hope this is useful and you can then come back tomorrow with perhaps some changes to the language; perhaps not. You can just see where it goes.
Elizabeth.
MS. WARD: You have received this morning, a set of -- oh, they're just now coming around? You are about to receive this.
DR. STARFIELD: Do you have a tab in the book too?
MS. WARD: Yes, but what you are going to approve is about to come to you.
DR. DETMER: So we'll give you time to read it before we then talk about it.
MS. WARD: Essentially, I think this is another area where our committee has been trying to play catch up to a lot of issues. Essentially, we have been asked to make sure that we have the rules about our own behavior; relevant to a previous discussion about when you have humans involved, it is complicated.
We have been looking at how to also manage communication in its broadest sense in terms of making what we are doing more real to more people, and to facilitate that process in a standardized and consistent fashion. We're essentially applying the same things we are talking about applying to others, to ourselves, so that we can, as we talk to others outside and provide information that is accurate and consistent information, and how do we help do that?
One of the ways is that we are going to be trying to produce material that anyone around this table who wanted to make a presentation, could have that available to them in the most attractive form.
At this point I think the best goal would be, is to think ahead in terms of prepared information that people can use to do presentations, is that we should look now ahead, because we do have minimal resources to do this, and think about what we would like to have for people to use in presentations when the proposed regulations come out.
Several of us have been doing just the general orientation to HIPAA and this committee, and we have sort of finished that up. We didn't do it with the quality material that we would have liked to have done it, I think we now need to leap forward and have the time to do that.
So that's what Margie and I are talking about, is to have available in November to people on this committee, Power Point and other material available that we'll have for anyone on this committee who wants to make presentations at that point in the future.
DR. DETMER: So in other words, anything that has gone through the committee and has been approved, would be available so any of the committee members could give essentially a presentation on those findings and so forth?
MS. WARD: That's right. So that will be our future next step. What we have here to look at is approving the material we have at this point, and the process of how we will all behave.
DR. DETMER: Why don't we give people a chance to read this, and then we can talk about it generally, or really item-by-item.
[After the committee has read the handout, a motion is made and duly seconded for adoption of the material.]
Okay, let's open this for discussion. Simon?
DR. COHN: I had two things that came to mind as I was reviewing this. I think first of all, it's a very good idea that we're beginning to get some of this information down in writing, only because some of us have been having to query about this as we go along.
Now first of all, in relationship to documents, and this is just a question since I am fully in favor of non-agreed to documents being held confidential. Yet I find it a little odd and awkward that we are sitting here as a public committee discussing unreleased documents publicly that everybody is listening to, and yet they are considered to be confidential documents. I guess I need a little clarification on that. Maybe you help me understand where the line is on that.
MS. GREENBERG: There are provisions for advisory committees to hold non-public meetings, but they are in very constricted types of situations; generally have not applied to this committee, although it could be a case where it could be required, and then we would have to follow those procedures to explain why the meeting is not a public meeting, and have to do some kind of summary of the meeting.
I understand what you are saying, and I know a lot of people who come to these meetings, and who listen probably as we speak right now find it somewhat confusing to hear documents discussed that they don't have copies of. People have brought this to our attention, and we understand the problem there.
The issue is that there has to be a balance between being able to generally discuss issues and concerns and problems, but not actually making documents widely available, because documents, once they become available, often take on a life of their own.
So I think everybody both at the committee level, and even at people who are in the audience, and those who are participating have to have some sensitivity to that. Obviously there is going to be discussion of these issues and there should be discussion of them, but the documents themselves become very final when people start circulating them around.
Also, in this situation we have got a lot of very quick moving activity with the HIPAA standards. So it is very helpful to the implementation teams to get review by the committee before they put something out in a final form. I think that those of you who were at the July 9th meeting know, the department has been pretty open about what it is planning to do, or what its mandates are, and how it is thinking about addressing them.
I think the documents themselves, it's better not to be distributing them, because they can take on a life of their own.
DR. DETMER: Draft.
MS. GREENBERG: Yes, the draft documents.
DR. DETMER: We are very interesting in once it is up on the Web site, we want to know.
MS. GREENBERG: Absolutely.
DR. DETMER: You raise an interesting question, because mostly we want our process to be public, but if we create confusion by cross currents on drafts. I don't know quite the best way to try to put it in language, but that's the concept we are trying to deal with here.
MS. FRAWLEY: Can I make a comment on that? I was getting e-mail and phone call messages last week on the draft document on UHID -- which I hadn't even received until Friday -- from people external to the committee, which really troubled me that people outside the committee had already seen the draft document from the department, which I hadn't even seen yet, and I was already getting e-mail messages and phone calls, lobbying me to influence the change of the position.
So I worry about that, because we know what the ground rules are as a committee. We did sign our ethics statement and our non-disclosure, yet there are media and other people in other organizations who apparently have access to information. So you are always on the defensive where people are saying, well, I know the department says blah, blah, blah. I have the document. I, of course, just declined to comment.
I worry about that, because we always seem to be on the defensive. For some reason there always seems to be people external to the committee process who seem to have draft documents and kind of know what some of the deliberations are, and then they are calling you for confirmation.
So I thought it was very odd, because I didn't get anything until Friday, and that was the first time I had seen any of the recommendations, and yet I had e-mail messages on Tuesday, and phone called on Wednesday and Thursday.
MR. GELLMAN: Welcome to Washington.
DR. DETMER: I want to talk around just the committee here for a minute before we get comments.
MR. MAYES: Just a point though, just to let you know it was only distributed through our list serve. So it didn't come out of the department to a broader group.
DR. LUMPKIN: I don't think there is much we can do about leaks of information, but I think that one of the things I would like to see sometime in the near future is a critique once we have gone through this process, of how this committee has worked with the internal working groups.
I think we had an example today of dealing with the OMB proposal, where an internal federal group has made a proposal, and now we are responding to it. It is not the same kind of input that I think would lead to a quality product like we have seen with the current process, where members of the K2 work group have been on part of the implementation teams, or at least have been auditing that process.
So while you didn't see the document, I was the liaison to that committee and I have seen all the drafts up along and had an opportunity to make an input. So at least when we come up to something, it's not a major surprise, or at least there is someone in our group who can sort of explain the thinking of the internal work group.
How we manage this process I think is a good model for our future interactions with the various federal agencies that we are advising, because I think it was a very useful, and I think hopefully from the federal agency side, a very useful process of interfacing with this committee.
DR. DETMER: Certainly I think this is a serious document, and we need to take it that way, and we are. If we really need to sleep on it tonight and come back tomorrow before we reflect on it, I think that's fine. I think we ought to continue to discuss it, because we ought to, if we agreed with this in a reformed manner, we ought to live by it.
DR. COHN: We're still open for discussion?
DR. DETMER: Oh, yes.
DR. COHN: Good. Actually, I had a question about presentations. I have obviously been out and have given at least one talk, along with Dr. Braithwaite, on this. I am trying in my own mind to reconcile I guess both my individual speaking style with presentations, with the information in the presentation section. Then under conflict of interest, item six, which basically states that we are obviously free to express our opinions as private citizens.
I'm actually trying to think in my own mind of where a conflict of interest exists versus not if one is speaking and "representing" views or decisions of the NCVHS. Yet also since that is not a very exciting discussion usually, presentation, we all tend to add our own pros, to talk about examples that may affect us within our own organizations or whatever, and how the activities or decisions affect our own organizations would seem to me to get very much into number six.
How do we do a dual presentation, or is that possible?
DR. DETMER: I think it is personally. I think you just tell the audience that I'm speaking for myself now. The committee has decided this, or this is under discussion by the committee, and I'm not going to get into the committee's discussion about it, because it hasn't concluded something. My own personal feeling are da ta da, but I'm not saying that that's at all where the committee will come out. I think you can deal with that.
DR. MC DONALD: It seems to me that the safest course of action if we are speaking outside is to always say it is our opinion, because first of all, there isn't that much product. It is all boiled down when the product comes out of the committee.
DR. DETMER: But if you are doing a Power Point presentation on one of our pronouncements, then obviously --
DR. MC DONALD: There are just a couple of you that probably might do that. I think the rest of us, we come here a couple of days a year --
DR. DETMER: But what this is saying is that actually we have done that, and we have an available presentation, that in fact actually if you will let us know, it is considered a good thing, a totally fine thing to do. That's not saying you will want to do it.
DR. MOR: I perfectly intend to do that, both through local policy people in the Rhode Island area, as well as the students, because it is an interesting public policy process that most graduate and even undergraduate students don't have that much exposure to. I don't have any problem saying, now here is my opinion, because I can't stop my mouth from running; but I at least know when to say this is my opinion.
DR. DETMER: Well, it is a public education work group. We are dealing with how do we in fact mostly educate about what in fact we are doing.
DR. HARDING: Could I get a definition of what a pre-decisional document is? Is it anything that we get by mail that hasn't been voted on?
DR. DETMER: Yes.
MS. GREENBERG: From the point of view of the committee's pre-decisional document or the department's pre- decisional document? There are two types of documents. There are ones that the committee is discussing.
DR. DETMER: Well, as far as I'm concerned, it's the committee's work that this group -- I mean, we are committee members.
DR. HARDING: So if I get something on security, I can't show that to the head of information security of my hospital and say shoot this full of holes for me? Or tell me the good news about this and what wouldn't be practical to use? I can't do that; I can't show that to any assistant or somebody that could give me information back on that? I have to come and get all the information just from the committee here? Now, come on, I'm having difficulty with that.
DR. DETMER: That's why we're here talking about it.
DR. HARDING: So the only technical information that we get will come just from the people who speak to this committee? We won't be able to get any outside information? To me, that's the way it is said.
MS. GREENBERG: You can certainly discuss issues and raise questions with individuals. I think that would be totally unreasonable if you couldn't. I guess the way this reads now, and I think this requires some discussion, is that you would not share the documents with people in the sense of actually giving them a copy of the document.
DR. HARDING: Now if I got this in the mail, I couldn't show that to anybody, but I could discuss it with them? That would be pretty tough to discuss this document with somebody, but if I could show it to my information person for the 600 bed hospital, I would say would this be helpful to you if we had something like this? I would like to have that information to come back and say --
DR. DETMER: Sure, I can understand your consideration. The other concern of course is that then becomes seen as NCVHS positions, and gets duplicated and off we go, and we haven't even dealt with it.
DR. HARDING: I understand that.
DR. DETMER: That's the tension in this. It's not as though we are talking about solid goods versus solid problems. It's how do we cope with it.
MS. GREENBERG: Let me make a clarification that I was starting to make before, because the document you held up was actually the appendix document to the implementation team's tentative recommendations on the uniform health identifier.
There are two types of pre-decisional documents we are talking about here. You are receiving documents that these teams are developing, and if you are liaisoning with one of the teams, you are really receiving early drafts. In this case, this is a later draft, but it still is very much a draft, and this is a highly sensitive issue, and I think you can understand why we really can't have these documents floating around.
In fact, I would say in the past the committee usually did not receive documents this early on. There was concern, just as John mentioned, you bring us a recommendation. We don't know what went into it really, other than what you tell us right now. We haven't been part of the process, and you need our advice by tomorrow, and that is difficult.
So we really have been trying through this process, to include you, but in fact these are federal groups. They are departmental groups, and they don't have any non-federal employees working on them. So sharing the documents with you is basically a courtesy and an effort to get interaction.
DR. DETMER: You want better policy.
MS. GREENBERG: Exactly.
DR. DETMER: I think it is all well intentioned. It is a question of how can you keep it from looking like it is already done.
MS. GREENBERG: There are so many technical areas I think in this, that there may be ones that certain members feel that without really consulting with other people, they can't really bring the best advice to bear. I think the opportunity there is when the NPRMs are published, you can discuss the issues. Try to get enough input that you can convey concerns of people who you think are very knowledgeable.
Also, these are all going to be published as proposed rules. Then you definitely want your experts in the hospital to really review these, to provide responses to the Federal Register notices. I think that is going to have to be their opportunity to really in depth, respond to an internal documents. So those are the pre-decisional documents that the department is sharing with you because of your important advisory role.
DR. DETMER: Maybe that needs to be rephrased a little bit, because I mean in a sense when you send it out for review and comment, it is still pre-decision. We need a term maybe to deal with that stage of document. We are really talking about pre-pre-decisional documents.
MS. GREENBERG: Non-public documents is what we are talking about.
DR. DETMER: That's a little different issue.
MS. FRAWLEY: We certainly get a lot of e-mails from the list serve. Maybe any document that is sent out, there could always just be a little statement that again, this is a pre-decisional document, and that you are encouraged not to share it with other parties.
I think that is what is happening, is people are getting these e-mails whipping across. They probably are not paying attention to the fact that perhaps this is not a done deal, and in good intentions may be discussing it with another party, but in creates problems, because you are on the receiving end of people calling, looking for information or wanting copies of things. Basically, I send them back to you and Jim all the time. Here are their phone numbers; go talk to them.
We get so many faxes. Between the faxes, the e- mail messages, and the regular mail, and if we don't read things carefully, it could be confusing as to what's final, what's draft.
DR. DETMER: Mostly I think we are trying to write down I think what we have been mostly doing. It's a question of just trying to get it down in English.
MS. GREENBERG: I think the issue is really whether the documents are public, because the committee also in the past certainly has circulated pre-decisional documents for review and comment to their mailing list, to thousands of people. No decisions have been made, only tentative recommendations.
I was thinking this myself just as we were preparing all these documents earlier last week, I think we maybe just need to have a stamp made up and have a template, "Not for public distribution." I think that is the issue on both the departmental and committee documents.
DR. DETMER: Well, maybe that would be it, and then we could have languages that say that. Then documents marked "Not for distribution," should not be distributed.
MR. MAYES: Just a quick comment. None of the documents that you would receive through any of the work teams' list serves is a final document. All of our documents go up to the standards committee of the Data Council, and only they have the authority to make them final.
So you should treat all communications from us as non-public communications, however, I would encourage you when you look at that, and you feel that you have either your own technical knowledge, in which case you can contact us directly, or you think that you know someone that has some important input, put them in direct touch with the team.
Send them the name and the telephone number or e- mail address of one of the co-chairs, because we certainly talk in fair amount of depth. We don't actually show them the paper document, but we work continuously with experts outside, both federal and the public sectors to try and hone these things.
So it's not that we're trying to keep them secret. It really revolves around the fact that we don't want documents taking on a life of their own. So we don't discourage you from having those people you think would have good input to contact us directly, but all the documents you get from us are not public documents, without exception.
MR. GELLMAN: Writing rules to regulate disclosures of information is extremely challenging. You want to know what pre-decisional means? You can go read a couple of hundred FOIA cases and try and figure it out, because that's where the concept comes from.
I think that we could sit and go through this thing, and just pick it apart, not because it is poorly done, but because you can't do this. I think that where you are headed in terms of this discussion is the best you can do is you label documents any way you want, and hope people do the right thing.
There is no reason to have written rules on this. There are no sanctions if people violate them. It's not going to work. People are going to do whatever they want. Documents are leaked all over the place in town no matter what, and there is simply no point in trying to deal with this in this fashion. Label your documents, and hope the right thing happens, and that's all you can do.
DR. DETMER: Well, I disagree with you. I do intend to try to follow this personally, but if you don't think any of us will --
MR. GELLMAN: That's fine, but I can take any document you give me, and run it through one of the loopholes in the language here, and do anything I want with it. I mean, it doesn't work.
MR. SCANLON: A couple of points. First of all, the rules that we are talking about here apply to other federal advisory committees as well. As members of this federal advisory committee, you are actually special government employees in your role here when you are doing the committee's business.
HHS, in the interest of getting your expertise on the whole HIPAA and other areas as well, really has kind of gone to the limit in terms of being able to provide internal HHS draft documents to you. Believe me, they do change even before they get very far in HHS.
I guess the other major point is we are about to enter what is a regulatory process, that has a very fixed set of procedures, and where those procedures are very important in determining how the rules get implemented as well.
So in a way, it is hard to draw a line very tightly, and you have to use your judgment, but there are clearly documents that you will get from HHS that you are getting so that we can benefit from your advice at a very early stage. To have them circulated would almost defeat the purpose and mislead the public.
Others done in terms of the committees, where the committee has taken on an issue and is drafting a letter, again, I think the committee would want to view that as a pre-decisional document. It is a slightly different kind, but it a pre-decisional document as well, where having it publicized that this draft is actually what the committee recommended actually does harm both the committee and the industry.
DR. DETMER: I also want to respond, Bob. My goal in these things are not to only think as a lawyer, and worrying about sanctions and fines and prison terms, and God knows what. I think it is a question of how do we choose to do our business, and how do we choose to try to relate to these things. That's the spirit in which personally I'm talking about. I'm not saying that you're not talking about that.
MR. GELLMAN: I don't really disagree with the sentiment of what you are all talking about, but I think having formal rules and trying to say you can do this and you can do that, and try and regulate all kinds of behavior and speeches, and if you do this, you have to get your article cleared by the powers that be on the committee before, because it happens to fall within or without or whatever, is a thankless task.
It doesn't work anywhere else. No one else has been successful at doing this without a lot of time and expense. I don't think you want to have people send you dozens of articles for you to read over for you to see if you think they are approved before they happen to appear for publications.
DR. DETMER: No, but I do like to know if somebody is going to make a certain presentation, because it's just good to know that, I think that's all, not as a cop, but just a matter of knowing what is happening. I think there is some wisdom to that.
MR. GELLMAN: All right.
DR. DETMER: Clem is saying he doesn't want to do that.
DR. MC DONALD: No, I was saying I think the safest course of action is declare public citizenship and say what you want. Then you don't have to worry about the tangles. Bob wasn't really arguing against any of this either, he is just saying the pragmatics -- we spent a lot of time on this -- the pragmatics are that we are going to do our best job, goodwill and all that, anyway. The extra rules probably don't add much more to that.
DR. LUMPKIN: I think we may be just caught on some words. These are really guidelines, because there is no enforcement, and there is no cop there. I think that all of us need to have some understanding of the trust that our position on this committee places. Our challenge is to try to keep this committee as effective as possible. That really, in large measure, depends upon the goodwill that our partner federal agencies see us.
If they see us as a sieve, then we will see things after the decisions have been made. We need to understand - - and that's really what this document speaks to -- that if you have a question or you want to know how you do it, this is the way to do it. If you are going to give a presentation before some group and you are concerned, there are people that you can go to who can give you the advice, and at least you say you've gone through it.
So I think if we all accept these as goodwill guidelines of the norms of how we act on this committee to further the goals of this committee, I think this quite acceptable.
DR. DETMER: It sounds like I think it is a good idea if we call these guidelines instead of rules, because that's what they are. I think the other thing is that what we can do is take a stab at some of these suggestions, come back tomorrow, and I think we have a couple of options. We can either approve it, or you can decide to approve it and let's relook at it in six months, or decide to not do it.
I think it's a very good discussion. This is the kind of discussion that I wanted to have.
Lisa?
DR. IEZZONI: Don, can I just say that I did write an article that will actually be coming out in October in Medical Care and sent it to Marjorie and Dr. Detmer for their review. It was very, very helpful. You gave me great comments, and I very much appreciated how quickly you turned it around. It helped make it a better paper.
DR. DETMER: Okay, good discussion. We'll take a look at that.
Do you have other items from the public education group?
MS. WARD: Only that we will continue to pursue the effort of having material available for people, so they are not having to generate public presentations individually and off the top of their heads. We are getting some assistance through the department, and we will continue to pursue that.
As I said, the next goal will be presentation material that will be attractive, technically sophisticated hopefully, and will be available for those of us who will start getting calls again in November to do presentations. That is our goal.
DR. DETMER: Yes, I think the objective is to obviously find a way that we can more productively talk about what in fact we are up to, because of the value of that.
MS. GREENBERG: We spent understandably also most of the time talking about the guidelines, but you did get another set of documents. I think Elizabeth and the rest of us who are working with this work group, which also includes Kathleen Frawley and a number of staff, would appreciate just if you looked at this sometime night, whatever. Those of you who have a subcommittee meeting tonight, after that, I guess.
Just see if there is anything in it -- actually, Bob Mayes mentioned to me that he would like any kind of documents we put out to always mention that down the road we have this responsibility for the clinical guidelines or clinical standards, and I'm not sure that is in here.
So anything like that, this just was so that you would have something of a one page, two sider on HIPAA itself and what the department is doing; the same thing on what the committee has done so far, what meetings they have had, and what they are planning. Then just a list of contact people.
So just give us feedback to any of those, and then we can finalize them, and even probably get you a little bit better copies if you want to actually share them with people, which is what they are intended for; either for your own use or for sharing with people.
MS. WARD: Now this is sort of the catch up I was talking about, was getting things it would have been nice to have had three months ago, so that you would have had material that was the general orientation to where we are; the status of what reports have been given.
DR. STARFIELD: This is pre-decisional, is that right?
MS. GREENBERG: These would be public documents for distribution when we have finalized them. They are very close, I think.
DR. SCHWARTZ: Marjorie, is there some consideration of particular forums such as newsletters of associations and other places where once these are final and approved, they might be published?
MS. WARD: That is the other communication line that I talked to you about that we are putting with our media folks in the department, that kind of communication plan together. I think the only thing that we are being very cautious about, and I had said to Don I thought we might need to have some discussion, and that is we have sort of a very manageable, small scale communication plan.
We could escalate that, and do something a lot more sophisticated, but it would mean we would have to have fairly reliable, instantaneous ability for people one, two or three at the most, people of this committee, able to respond immediately to reporters who would call back.
That is the part that we don't feel yet confident that we would be able to say, we don't want to ruin the department's media relations folks with their media partners to ask them to put a real high scale program together, have all the reporters start calling, and they are never getting someone on the other end of the line. That would an enormous burden on our chairs of the committees and our chair of this committee.
So right now we are doing something very small, but it is putting stuff out, looking at conferences coming up. We may feel that we can come to that other level if we feel that people could really respond to the level of questions we would get back.
DR. SCHWARTZ: Just to make sure I understand it, for example if there was a newsletter from the American Public Health Association, and in the newsletter almost verbatim, we had these two documents in the newsletter, the concern would be that if APHA folks saw this, that there wouldn't necessarily be the adequate resources to support follow-up with respect to questions?
MS. WARD: What I'm saying is that we're not worried about the newsletters and those kinds of things. What we're worried about are more public media events, and getting a lot of other types of reporters who would be wanting instantaneously, I have two hours to get my report on your activities together.
DR. DETMER: What we assumed as we started is that some of our issues are pretty public issues. This is in fact to be a public room. We would like to respond. The question is, can we, and what ways can we at least try to move toward that? It's not so much all the public we've got; the real public out there, and how do we try to develop a strategy to deal with that?
DR. IEZZONI: This is somewhat related, but it might be just specific to our subcommittee. Since I'm the chair of our subcommittee, I'm beginning to get e-mails from people asking me about very specific areas. Frankly, I just do not have time to respond to all of these e-mails. Some of them, I don't have the technical knowledge to be able to answer the e-mails.
So what I have been doing is saving them. I now have 79 e-mails saved on my system. I feel very guilty about that, because I like to be responsive and respond to people, but is there any advice?
DR. DETMER: I think one advice is that if these questions at least could become a resource, a set of questions to put on frequently asked questions, that we can start putting on our Web site, and try to build something.
DR. IEZZONI: They are not relating to HIPAA. That's the thing.
DR. DETMER: Well, that doesn't matter; I mean to the committee and its work. Our only business isn't HIPAA certainly.
DR. IEZZONI: No, I know, but these are -- I see that you have like people listed for HIPAA-types of things on one of these documents, like right here.
DR. DETMER: Obviously as I say, we're feeling our way along on this. The executive committee will be talking about at its retreat and so forth. I think the point is that this is a dialogue that we're getting started. I think I would send questions in.
DR. IEZZONI: Send them to who?
DR. DETMER: To Marjorie.
MS. GREENBERG: Are they questions about what the department is doing?
DR. IEZZONI: No, they are things like what kind of classification system should we be using for disability, and things like that.
DR. DETMER: I'm not saying that you're going to have a specific, tailored answer to everything, but if these things start falling into some clusters, we at least could try to make some effort to try to respond.
DR. STARFIELD: I'm getting a lot of the same things that Lisa is. They are coming as what's the committee's position. They say, what's your answer on. What I could do is I could take a lot of time and I could give them my position, and tell them it's my position. That would be a huge amount of time for me to do that.
A publisher called a couple of weeks ago -- they called Don too, because I asked them if they had called you, and they said yes, and they hadn't gotten an answer. I basically said, I can't take the time to do this.
MR. SCANLON: Yes, you have to be a little careful. Some of these are actually people writing articles in trade journals and things like that. So be careful and make sure you take a good look at them.
MS. GREENBERG: Sometimes people are asking this because they see you as an expert in this area. It's good for us to know that, but like to send it to a staff person is not what they want. I guess like anything in one's professional life, you do the best you can. Some of them you give longer responses to, and some of them you just say I'm sorry, we'll take that under advisement, but I'm not able to give you a full answer here.
So again, I think we have to feel our way. I don't think this has ever really come up before, that committee members get a lot of inquiries of this nature. Maybe it's because e-mail has become so prolific. When people have to sit down and write you a letter, they really think about it; when they shoot you off an e-mail message.
MR. MAYES: Just a quick question. On the HHS side we put up our slide presentation on the Web site. Are you all planning on doing the same thing?
MS. GREENBERG: Sure.
DR. HARDING: Just another kind of question. In November Bob and I are going to do a point, counterpoint kind of thing at the Carter Symposium in Atlanta. Now we have been asked, because we are on this committee -- everybody knows that, and because of Bob's background and so forth -- should we then state at the start that we are speaking for ourselves, and is that then all right?
DR. DETMER: Sure, unless you are both willing to give the position of our public document.
DR. HARDING: That's not the question. The question is just confidentiality in general, technical aspects.
MR. GELLMAN: The answer is in my practice whenever I talk about this committee, I always say that. No one listens. No one pays attention. No one cares. You have complied with the statutory requirement to say you are not speaking for the committee, and everyone assumes you are. If it makes people happy, fine.
DR. HARDING: Except if you are debating.
DR. DETMER: Actually, having you both on the committee at times, I have some sympathy.
DR. LUMPKIN: I do have one concern about the debate, and that is why Bob is going to that, and not going to ASTO.
DR. DETMER: I do also think that it is useful for us to know just what presentations are going on. I may very well get a call that night, because somebody heard something in Atlanta and says this is the deal. I don't even know anything about any of this.
MR. GELLMAN: We won't give anyone your phone number.
DR. DETMER: I think we are going to continue to have a lot of fun on these issues.
The issue of the e-mail response business, I think probably we just need to centrally send an I don't have to time to respond to this personally, directly, but will forward it to the office or something. Maybe you can make a default message or something.
MS. GREENBERG: Obviously we need to discuss this. I would not want to raise a false expectation that staff are in a position to respond to Lisa's 79 e-mails. We get several hundred ourselves a week.
DR. DETMER: It is also true that we cannot do public education and not have to respond with staff support, if in fact that is what it's going to take to take it on and do it.
MS. GREENBERG: That's why I said it really needs further discussion.
DR. DETMER: I know.
MR. SCANLON: If we see what kind of questions are coming, then I think we may want to deal with the frequently asked questions.
DR. DETMER: That at least gets you to some of those things. I think if they are frequently asked, we ought to frequently answer them.
At this point we're a little bit -- unless there is more on this, we could move on if we want to the next item. I think we are scheduled right now to break for lunch at 12:30 p.m. We could break for lunch now. What is your pleasure?
DR. MOR: Why don't we do the planning and implementation now, and then break for lunch?
DR. DETMER: Okay. Kathryn.
MS. COLTIN: There are just two issues that I want to cover. One is to make certain that each of the subcommittee chairs is aware that part of their assignment for the breakout is to review their work plans and update them for the coming year. What we will be trying to do in the planning and implementation work group is to assure coordination across the various subcommittees, and to compile them upwards into a work plan for the full committee.
So that is something that you are being asked to do today. We had hoped to be able to provide each of the subcommittee chairs with a listing of sort of unfinished business in terms of carry over from the previous year, or even sometimes going back further than that, of issues that are now determined to fall into the purview of each of the particular subcommittees.
Since we have restructured and certain of the other subcommittees from our prior life no longer exist, we had wanted to make certain that we didn't drop the ball on issues that needed to continue to be monitored. We will be doing that, however, we were not able to get that out to you in time for today.
So if you are aware of issues that are carry over issues -- I know for instance Barbara is well aware of the work on the core data elements project, and what might need to be carried forward in that area. Please feel free to incorporate them into your draft work plans.
You will, however, be receiving from us in the next week or so, a listing of what we believe to be the outstanding issues that would fall into your area. You will have an opportunity to update those work plans if any of those have not been reflected in time for the November meeting of the full committee.
So that's the status of that. Are there any questions on that?
DR. STARFIELD: Do we have a list of our current work plans somewhere in here?
MS. COLTIN: We have the charge in there under one of the tabs; the charges to each of the subcommittees. I don't believe we have the old work plans in there. However, the material that you just got kind of lists the various meetings that each of the subcommittees had, and what the topics were. To the extent that you had in your mind what you were going to accomplish, you can use that as a barometer to see where you might have gaps, and work that was on this year's work plan that needs to carry over into next year.
DR. DETMER: Our subcommittee structure really makes it somewhat important, because there are some cross cutting issues that we're dealing with. Only if we sort of know what is sort on your planned docket, can we try to make some effort that we're not doing remedial meeting kind of work in retrospect.
DR. IEZZONI: Kathy, our subcommittee reviewed its charge and voted on its work plan at our July meeting. We approved our work plan, so we have an up-to-date work plan that we can give you. We also believe that we finalized all of the remaining issues at our June meeting.
So I guess my question to you is, how are you getting the information about whether we feel that we have addressed our issues, because I haven't heard anything from you for example? So it might look as if there are a lot of things remaining on the docket, but we in fact feel that we have cleaned our slate.
MS. COLTIN: I think when you get the listing of what appear to be outstanding issues, you can compare that with what you know you have dealt with, and determine whether you believe they have been adequately dealt with.
I think one of the questions that arises is, is an issue resolved when it has been discussed at the subcommittee, or is it resolved when it has been brought forward to the full committee.
DR. IEZZONI: In this instance they were brought forward to the full committee in June. George is nodding his head, because he was one of the unfinished business. So I guess what I'm asking is what is your communication going to be like with subcommittee chairs, or should this be something that we are going to discuss at the executive committee meeting?
MS. COLTIN: Well, in the past -- and this has not occurred for the last couple of meetings -- there was a rolling work plan included in the books that went out for the meetings, so that you could look at the work plan, and you could see the status of each of the activities, where the focus of the activities of each subcommittee. That has not happened.
We are going to re-implement that, but we have to go through a clean up first, by taking the last work we had, matching it up against the activities in the minutes of the meetings that have occurred in the interim, try to bring it up-to-date. So any issues that would have been on that work plan for which we know the issue has already been addressed at this committee, the work plan will be updated to reflect that.
So what you would then receive would be only those issues that were on an earlier work plan, where we have not seen any action that something has occurred, and therefore we are asking your committee to take a look at this and determine whether any further action is needed, or whether this is something which should be dropped, or if it is going to be carried forward, what your plans would be.
DR. DETMER: Part of what this will also help I think, depending on what that burden looks like, it helps me then work with Jim and Marjorie in terms of what kind of staffing we are going to need on some of these issues too, because there is no question there is a lot of staff work involved on most of these things.
MS. GREENBERG: I think if, on the other hand, the Subcommittee on Population-Specific Issues -- and I know I was able to sit in on at least part of their meetings -- feels you have addressed this, maybe just an e-mail message to Kathy telling her this is what we are doing with each one of these; nothing formal. There is no point having work done that has already been done by the subcommittee. So I would think if you could just do that with a cc to Lynnette and me and Jim.
DR. DETMER: It's principally the chairs of the working groups of subcommittees that we are really talking about.
MS. COLTIN: When we come back this afternoon and the subcommittee chairs report, you can simply say that you believe that your work plan has addressed all the outstanding issues, and that's where it will go from there.
If, in the interim, we identify something else that we believe belonged in your subcommittee under the reorganization, we may come back to you and say, do you agree that this is where it belongs? If so, would you take a look at your work plan in light of this new piece of work?
DR. DETMER: We're heading into our executive committee retreat soon, to try to lay out the year's plans. It's not like we'll be doing this at every meeting, but in anticipation of that meeting, we needed to get some of these things on our plate.
DR. MC DONALD: I get the sense from the subcommittee I'm on about security and standards with the little amount of time we spend at meetings, versus the amount of time that the work teams from the department are working, that they are getting way ahead of us. I would like to figure if there is a way that those who are from our committee are going to those, would give us sort of some heads up on what is really cooking, because we are kind of in the reactive mode then very often, instead of being in the helpful and shaping mode.
I know that we get these attached e-mail things, but I often can't decode those or decrypt those, because they are so secure. They are often very large.
DR. STARFIELD: Can staff make sure that we have the work plans? It's going to be hard to discuss the work plan without the work plan being there.
MS. COLTIN: I did notice that only the charges were included, except that I think for Lisa's subcommittee, it is far more detailed, and therefore it does list a lot of the tasks.
DR. MOR: Where do we stand on new recruits? I know we had a discussion at one point about this. Where do we stand?
DR. DETMER: Yes, I was going to ask Jim to comment on that before we adjourned tomorrow, but since it has come up, go ahead.
MR. SCANLON: There is a set of nominations that would fill all of the vacancies in with the secretary. These are her secretarial appointments, so she gets to actually choose. We were hoping even for this meeting that we would have at least some of the folks' names, but she hasn't named them yet. So hopefully by the November, by any account, we ought to have them by them. It would fill all the vacancies, the set of nominations.
DR. DETMER: Obviously, we need the extra bodies for some of our work, so the points are very well taken.
Other things, Kathy?
MS. COLTIN: Yes, one other thing. I just wanted to let people know that at the executive committee meeting in November, we will be trying to outline what all of our responsibilities are with regard to this monitoring of the impact of the implementation of the HIPAA standards, and formulating some plan for how we are going to evaluate that impact. We will then bring that to the full committee for review.
The other thing is I am putting together a draft outline for our annual report as well.
MS. GREENBERG: That is actually going to be discussed at the subcommittee meeting afternoon I believe, or this evening; whenever.
DR. DETMER: Other questions or comments?
Why don't we adjourn until subcommittee breakout sessions. You may want to start those at say 1:30 p.m.
[Whereupon the meeting was recessed at 12:16 p.m. for lunch, to reconvene at 1:30 p.m. in subcommittee breakout sessions.]