Transcript June 3, 1997 p.m. session

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

PERSPECTIVES ON PRIVACY, CONFIDENTIALITY, DATA STANDARDS AND MEDICAL/CLINICAL CODING AND CLASSIFICATION ISSUES IN IMPLEMENTATION OF ADMINISTRATIVE SIMPLIFICATION

PROVISIONS OF P.L. 104-191

June 3, 1997

Afternoon Session

Federal Building

450 Golden Gate Avenue

San Francisco, California

Proceedings By:

Tigerfish Transcribing and Editing

653 Francisco Street, Suite 4

San Francisco, CA 94133

(415) 474-5575

P R O C E E D I N G S

DR. DETMER: There is a new panel in front of us, also on the topic of public health and research. Dr. Newcomer, Dr. Luft, Dr. LaPlante, Dr. Abbott. I don't know which of you care to go first. We'd like to have you try to stick within ten minutes so we'll then have time for plenty of discussion. But we're pleased to have you here and we'll listen to your comments.

DR. NEWCOMER: Thank you very much and thank you for having me here. I'm going to be speaking to an issue that I think is very much neglected in a lot of our national data systems and that has to do with tracking of residents and the levels in need of care and utilization of services by people in group housing in the United States. And that's an issue that speaks both to the elderly and nonelderly disabled.

Now I'm going to start out by giving you a little bit of perspective on why I think data is needed in this area and in the middle come to a point that I think is most germane to the interests or the mandate of your panel in terms of where does this fit into Medicare and Medicaid data systems. And, finally, to put that into perspective, how important it is to improve data in that area by also looking at the question of how inadequate our national survey systems are and other sources of national data that might, hopefully, give us that information about group housing.

First of all, let me same very briefly that there are as many people living in group housing, that is, licensed residential care facilities as live in nursing homes. And it's an industry that is virtually invisible in national data systems. It's important that we have local area data in the system because so much of what goes on in this industry is regulated by states and by local zoning and other kinds of fire and safety ordinances. A common regulatory solution that we've seen in the past put a fairly strong fire wall between nursing homes and residential care and what we've seen in the last 5 years, and even moreso in the last 2 years, is a tremendous unbundling of that fire wall. So that today many states are operating to essentially make equivalent the population that can be in residential care versus nursing homes. Some of that is consumer-driven. Some of it is financially driven under the assumption that costs would be cheaper. In other words, there's a real risk the quality of care may be eroding in that industry.

Proponents of expanding the role of residential care argue that the cost savings and the necessity of normalizing the living situation for disabled persons are an important aspect of this. And I certainly would endorse that. But, on the other hand, the critics have expanded enriched levels of care and residential care, raise concerns with the resident's safety, the adequacy of these settings and, in particular, the fear that these settings may be less well-staffed, certainly less regulated and with a lot less training of personnel than we currently have in nursing homes. And the net result, they fear, would be a loss of our ability to manage the health care conditions in this population.

Data systems are not developing at the state level in response to this rapid change in policy. Now a short term strategy for addressing some of these issues would be to would rely on hospital discharge abstracts. Through these discharge abstracts, it would be possible to track conditions that we might define as markers for failures or breakdowns in the long term care delivery system, things like skin ulcers, malnutrition, dehydration, injuries, drug or medication poisoning, things of that nature. All that's needed in the data system like that is good information on where the person came from before they came into the hospital. Currently, the best source of, the best indicator that we have in these records is that they came from the emergency room. So, in other words, it's not tracking where people actually came from. It does give us pretty reliable information on where they go but in other words a fairly minor piece of data could very much enrich that data system.

Similarly, with regard to Medicare claims, here's an area where provider numbers might really, very helpfully, allow us to track diagnoses as they flow from a Medicare claims system into hospitals, into nursing homes, into other kinds of care systems, again with the ability to identify whether this is a licensed facility or not. Or if it has good address information to identify whether it's a group home of one sort or not.

Short of doing that, short of making these two data systems more effective in doing what they're already doing, what are some of the alternatives? Well, one of the alternatives is to continue to rely on the survey systems that we presently have. And let me explain why that would not be a good thing to do. The first thing has to do with the nature of the samples that are used in national surveys. They're, by definition, national. They're designed to give us the best regional estimates but never community-level estimates. So they're, at the point of delivery, at the point of regulation, they're not very useful information in terms of monitoring what happens in the state or what happens in a community as we change policy or as the mix of facilities and competing providers changes.

A second problem, and it's even more fundamental than that, is how we define group housing. In surveys, and in the census for that matter, group housing is a term that encompasses such things as nursing homes, mental health hospitals, noninstitutions such as rooming homes, communes, residential care facilities, homes for the aged, halfway houses, college dorms and so forth. To simplify matters, at least to the point of local regulation, for things like local zoning, fire and safety ordinances and so forth, states use a much more simple definition. They would define group homes as having 5 or more unrelated persons living together. So that meant if you were disabled or whatever, living with three other people, that you would be considered independent housing. When you get that fifth person in there, suddenly it becomes a group facility.

Now that's important because you fall into different buckets in terms of how they aggregate and report and the detail of data that's reported in the census. It's also important because in many surveys, including the Health Interview Survey, including the American Housing Survey, including any number of other surveys, if you're in group housing you fall out of the sample frame all together. So that you're not enumerated and we're not tracking relevant information about that population.

Now, I've given your Committee for your review, I won't be talking about it here, a review of 75 surveys that we have looked at and critiqued in terms of what their limitations are. The five that are most important, I think are most germane, are the Census, the American Housing Survey, the Health Interview Survey, the Medicare Current Beneficiary Survey, and the Social Security New Beneficiary Survey. And so I provided you more detailed information on that.

But, let me just say that all of these surveys, even these last five that I've mentioned in particular, have fundamental problems in there that are beyond just the sample frame itself. The surveys that had extensive housing data, for example, have almost none, or very little information, that defines health status or that defines functionality.

And, on the other hand, the surveys that give us good information on health and disability status provide very little information about living arrangements. So we've got this misfit between our two sets of surveys that, added to the dimension of the sample framework, whole classes of the population are excluded.

So what would I like to see happen? Well, beyond the immediate issue of putting and maintaining better information on hospital discharge abstracts and claims data, which I think are fundamental, it would be nice if this Committee, or whatever auspices would seem appropriate, would look at this question of the sample frames used in our national health interview survey and others and see if we can't do something about rectifying the problem with group housing.

Similarly, and equally important, dealing with the issue of measurement. I think at a minimum we've got do improve some of disability information that's available on the American Housing Survey. We've certainly got to do something about getting more disability information into the census. These are long-term objectives but their committee, I would believe, is in a good position to be able to work and move that forward. Thank you very much.

DR. DETMER: Thank you.

DR. LUFT: My name is Hal Luft. I'm a professor of health policy and health economics and director for the Institute for Health Policy Studies at U.C. San Francisco just up street. But the views that I'm offering on my own, they don't reflect those of the institute, the university or any of my occasional funding sources.

I've been trained as an economist. I've actually been trying to reeducate myself in that over the last 25 years. I've been working basically on the areas between economics and medical care delivery. And, in doing so, I've used a wide variety of administrative records such as hospital discharge abstracts, claims data and County data, etc. And the potential changes coming out of legislation are particularly important, because as I've often told people, I eat numbers for breakfast. I live on the data that you all are considering. But because I'm not a clinician--I've frequently worked with clinicians--I've learned from them to be very concerned about the quality of the data and also the potential burdens that data collection imposes upon organizations and the potential risks to confidentiality of data collection.

I also trained, did my postdoc, with Paul Bensen at Harvard. He was a pioneering statistician who really demonstrated the importance of good quality routinely-collected data for both assessing the performance of organizations and for learning how to improve medical care. One of the things that he taught us--drilled into our heads--was that the people who are responsible for the collection and maintenance of the data need to understand how and why it's useful to them and thus care enough to assure its validity and reliability. Otherwise, they will merely make sure that the number of boxes get filled that need to get filled, but not necessarily the right boxes.

Since I am, in a sense, an end user, I have to be very concerned that the people who are actually generating data care about them. And so I'm going to be focusing on some of those issues. Also, because I'm an economist I realize that data collection is not costless. While I truly believe that if only we had the right data and enough funding for research we would be able to improve the health care system and the health of the population, I don't think that's going to happen immediately. And I think we need to be sensitive in terms of the kind of data that we ask for, at least in the interim.

The other piece of reality that I focus on is that the current health system data capabilities, and those likely to be available in the foreseeable future, are at different levels at different sites, different delivery systems, and we need to be able to link data across systems in order to understand what's really happening. Otherwise, we have this problem of seeing an individual for a period of time and they just sort of disappear off the screen. And we don't know what happens to them and then they come back on some other screen some months later and we don't know why or what happened there.

So we need to be able to link data. And we also need to be sensitive to the different incentives and kinds of data systems that various organizations have. So, for example, a medical care group that is capitated for its care doesn't care very much about claims data. They may care a lot about encounter information.

Now what that means we've got different levels of information that are likely to be generated at different settings. Claims data typically don't have very precise diagnostic information. Even though Hicks is now requiring it, my guess is that the diagnosis code is just what you need to be able to justify the procedure and not any more precise than that.

On the other hand, in a capitated system or medical care group that is trying to monitor the quality of care, they may worry a lot about their diagnoses but not worry very much about coding down to the precise level of the procedure because nobody is being paid for the specific test. Although they will worry about what the test results are.

So this leads me to suggest that coding ought to be representing the expected degree of accuracy. Now, while the most precise codes would be best in all situations; pseudoaccuracy, I will argue, is worse than recognizing that some data are only approximate. As somebody who uses research, I don't want to be working five digit ICD 9 codes that were arbitrarily put down. I'd much rather have a three digit code that tells me, 'this is nondifferentiated,' and then go with it.

So what that says to me is we need to have the appropriate level of resolution. And that will vary with the kind of organization. But I think in terms of setting national standards, they ought to be seen as minimum not maximum. And so, for example, if an organization or if the State, let's say California Office of Statewide Health Planning and Development, is setting requirements for hospital reporting, in California we have a lot of racial and ethnic groups. You know, a whole surge of different subcategories of Asian Pacific Islanders, that mean a lot in California. That probably is not worth breaking out in Wyoming. And so, I would not recommend a federal standard saying, "You have to code down to the level of differentiating Samoans from Filipinos," but in California that matters. And as long as categories may be aggregated to some standard level, then I would argue for allowing flexibility in local institutions or states to be able to require more detail.

Second level of simplification is that I think right now we're in a transition phase between paper and electronic medical records that is somewhere down the road, but probably at least a decade. Dr. Detmer is much more expert on that than I. I think what we might need to focus on is not requiring the maximal level of data on everybody, but to say, "Why do we need some data at certain levels"?

So, for example, I've done risk adjustment models using hospital discharge data and we've chosen not to do risk adjustment models on certain categories of patients because the detail level of information isn't availability in discharge abstract. You wouldn't want to require certain levels of detail for all patients, but you might be able to say to the hospitals, "Here are a list of three dozen or so relatively common conditions and procedures," and for each one there'll be, in essence, a pull down menu that tells you the additional variables we need.

Okay, if it's a bypass surgery patient, we need to know ejection fraction. And you wouldn't be operating on that patient if you didn't know it. Okay, although I don't need ejection fraction for every patient who walks into the hospital or is wheeled in. So, there are large numbers of patients for whom we really don't need a lot of detailed information because you are never going to look at them in great detail.

There are a small number of categories of cases where we really might be able to ask more detailed information. So I think we ought to do that. Patient confidentiality is a crucial concern. There's obviously real potential harm if information is disclosed. But in my experience in research, I think the experience of most researchers, is that it really comes from the research setting. It's, somebody had a computer at some pharmacy and sold the computer and it had a whole bunch of patient records on it with names and records and things of that sort, those are things that we need to worry about.

I think it's perfectly appropriate for institutional review boards to review protocols to monitor how data are going to be handled, etc. I think the linkage, however, is crucial. And in some cases we need not just social security numbers or something better. Social security numbers are not wonderful. In California there are a lot of people without social security numbers, some of them newborns, some of them not newborns. And there are a lot of illegitimate numbers, and it's not designed to be a record linkage number. That's really appropriate. We ought to be able to do better than that.

Once things are linked, and I will argue for redundant linkages to be able to check on things, then the identifiers ought to be stripped. I don't want them floating around on a data system I'm working on. But I want to make sure that somebody has checked and linked them appropriately. In addition, I think there are ways in which data, again, being used for research purposes, could be jittered in a way that doesn't bother me as a researcher and yet add to the confidentiality.

So, for example, one could take a random number, from plus 30 to minus 30, and add it to all dates on a data file with the random number being keyed to the individual. Okay, so every time that individual appears, his or her dates are moved up or back by some random number. I don't know what the random number is. It doesn't matter to me. It means that it's going to be much more difficult for me to find an individual if I know their birth date because now it's within a 60 day window. I won't know when they were really admitted to the hospital. But I do know that every admission and discharge is in the right relative temporal order. And we've now provided an additional layer of confidentiality. If some hacker happens to get into my data set or if we ever replace our computers--the university never replaces computers--but if we were ever to do that and somebody were to look at a hard drive and find some data on there, it would be meaningless to them.

And so I think there are a series of things that can be done by the research community and by the people who are providing the data. I think the development of good linkable data sets with well-coded and valid information is really essential to monitoring medical care performance and improving patient care. The fact that it provides things for researchers to do is really only a secondary concern. I think we're beginning to learn that health care can be improved and data is what we need to do to move in that direction. Thank you.

DR. DETMER: Thank you. Dr. LaPlante.

DR. LaPLANTE: Hi. My name is Mitch LaPlante and I'm an associate professor of social and behavioral sciences at the University of California San Francisco. And I direct the Disability Statistics Center, a national center that performs analysis and disseminates information on disability in the United States.

Much of my work has involved analysis of national survey and to some extent hospital discharge survey data. So I think I come at this in a similar track as Dr. Luft. And I share all of his value statements about research that he's expressed. This analysis has been in the area of impairments and disability but also I've been very concerned about advocacy efforts to promote more useful data. And so I view this testimony as an opportunity in that vein.

I am not totally familiar with the Health Insurance Portability and Accountability Act, although I've done a little research on it, and I understand that it does call for standardization of electronic filing and transmission of administrative and financial transaction data and encounters or claims data. But persons with health providers and transactions among health providers and while it doesn't dictate the content of the information to be included, I would think that in developing standards for transmitting data some consideration must be given to content. Particularly since the information contained in the transaction should be optimized so that as many parties as possible can make use of it. And I think, also, the size and operations performed on these data bases will reflect what the content is that's contained in them. So, to me, it seems that standardization of transmission implies to some extent standardization of content as well.

What I wish to comment on is certain informational needs pertaining to the fields of health and disability services research that I feel--and these are my statements, not those of the universities nor my funding sponsors--that I feel should be considered and highlight some of the administrative and research implications of these. I wish to consider the inclusion in this system of reliable, functional and disability information which can provide needed data on health and disability services.

Functional status and disability status play two roles, I think, in what we're talking about. First, functional and disability status are proven predictors of health care utilization, including both acute and long-term care. Secondly, they are increasingly used as indicators of the effectiveness or outcomes of services. And I think that any data system should reflect the fact that disability is both a characteristic can be used to identify need for certainly types and levels of services as well as an indicator that can used to evaluate the outcomes of services that are received.

Some of the applications, that information on functional or disability status that might be of interest to health plans and providers, include first ascertaining the proportion of the population with disabilities and disabling health conditions that a plan serves and that are covered.

Secondly, I think that plans and providers would be interested in the array and volume of services that people with functional limitations or disabilities utilize. Thirdly, I would say that there would be possibly an interest in client satisfaction and usage outside of specific plans. And fourthly, an interest in the evaluation of the outcomes of services that are provided.

So I think there is reason to think that plan providers would have an interest in the inclusion of this information. Research uses of this information, I think, are many and critically important. I believe if all transactions are represented in this system and can be linked together, it serves a most important function as a health registry much as the hospital discharge data system of the Department of Health Services now does in California with hospitalization data.

However, the registry function is not completely realized because uninsured populations may not be represented or represented adequately in the system. Nevertheless, if security and confidentiality can be insured for those in the system and data can be made available for research purposes, it seems that this would generate a massive amount of needed information that would stimulate health and disability services research immensely. Let me highlight some research applications that I can think of.

First, the system might provide needed statistical data for determining the rate of low prevalence chronic diseases and disabling conditions in the population, including diagnoses such as Spina Bifida, Cerebral Palsy and other rare conditions using geographic and other demographic variables. With a system such as this very reliable small area statistics could be created helping service providers to better understand the unique needs of local populations in their service areas.

I imagine that creative researchers will push the envelope even further and make use of this information to identify risk factors and further epidemiological knowledge about the generation of some of these conditions.

Second, I think that comparative data on different covered populations could be obtained and much more useful than we have available now. Public insurance systems have a greater proportion of people with disability served than private insurance systems owing to SSDI, SSI and other public disability programs that provide public insurance coverage.

I would stress that a goal for the administrative simplification requirements is that both public and private insurance systems be equally included. And this is necessary to compare across these major populations. But, looking within the private system, I think this data system could help answer the question of whether people with disabilities are less represented in capitated versus noncapitated plans.

And that's a question that's increasingly relevant as managed care penetration increases, as well as questions about the quality and quantity of services they receive. Third, longitudinal research is certainly needed and I think this is feasible with this type of system. Desiderata for such a system would be that people may be tracked from provider to provider, while also tracking disability and functional status and changes therein. Some research questions that come to mind are, can we ascertain different profiles for people discharged from hospital to community settings versus those discharged to other institutions? Do people do better in the community and is community care more efficient? Can we track cases from acute hospitalization discharge to rehabilitation and evaluate outcomes for rehabilitation providers?

I believe these questions can and will be answered if the administrative simplification requirements ensure that the data needed for research purposes are included.

The last question highlights the need for identifying rehabilitation services in this system. Rehabilitation services, by that I mean those that are intended to improve human functioning. And rehabilitation, is as we know, a big industry. But estimation of the volume and types of medical rehabilitation services is not possible at this time, even for in-patient services, because the information simply is not available. Rehabilitation may be provided by specialized rehabilitation facilities or by specialized units or providers within more general facilities. Thus, it is extremely critical, I think, that rehabilitation as a type of encounter identifier be included in this system and applied to all encounters that are recorded by the system.

It's not sufficient to classify the type of facility or provider as providing rehabilitation or not. For example, a skilled nursing facility may provide both nonrehabilitative as well as rehabilitate services. And if identification of rehab is provided, it's possible that this source of data might also be useful in developing payment schedules for rehabilitation services.

I think this is feasible. There is an evolving standard of classification offer by the World Health Organization which is called the International Classification of Impairments, Disabilities and Handicaps. And though this is the classification that's evolving, it does offer a standard for consideration. And I would think that both the domains of impairment and disability ought to be included within the core data elements for this system. Remaining issues involve when to record disability information, how often, by what methods, whether self assessed or clinically assessed or both. All these issues need to be evaluated carefully with the goal of getting the right amount of useful information while avoiding unnecessary or excessively costly data collection. The committee in its report Core Health Data Elements reserved place holders for disability and rehabilitation. And I commend them and you for that action and encourage that place holders be established in the implementation of the administrative simplification requirements. And, lastly, as a researcher, I look forward to using the proceeds of this effort.

DR. DETMER: Thank you very much. Dr. Abbott.

DR. ABBOTT: Thank you. It's a pleasure to be here and to join with you in your deliberations on these very important matters.

My name is George Peter Abbott. I'm an example of one of the problems of using a name for uniquely identifying individuals.

We in California, as you heard earlier today, have been looking at, examining and developing various approaches to dealing with several of the issues that are within your mandate, specifically that of developing a unique patient identifier and also in the area of developing standardized data elements as well as the use of administrative data sets for a variety of public health and research purposes.

As part of our responsibilities on the State registrar and the state responsible for birth, death, marriage dissolution, et cetera, also producing a variety of reports on health status measures of Californians. And I also have responsibility for several local health departments in rural areas and we also administer an indigent health care program on behalf of 34 counties.

So, within my own personal experience and obviously within the Department of Health Services, there's a great deal of interest and expertise in this area of data and information. You have in front of you my written testimony, and I should pause to point out that I'm indebted to Gwendolyn Dovert, the staff at the Center for Health Statistics. Many of you know her. She is the assistant chief for health information policy for the department and really did the, most of the work in pulling the testimony together.

I also should point out that this represents Gwendolyn and my points of view and does not necessarily represent the official position of the Department of Health Services.

I'm going to choose to just highlight a couple of areas that came up this morning. First of all, the importance of standards to public health and research cannot be under emphasized. The ability to access clinical data sets and information for a variety of public health purposes, whether or not it needs assessment, problem identification, evaluation of effectiveness or impact of programs, it's absolutely critical.

Several of you have noted the need to both follow individuals longitudinally over time as well as across various programs. And this is increasingly important as we address various health issues confronting our nation and the State, as well as implementing various new laws such as the Welfare Reform Law and immigration reform as well.

The issue of the unique patient identifier is one that has really interested me for my entire professional career. And I also have a UCSF link in my lineage as well. I also remember when I came out of medical school, the computerized medical record was just around the corner, and that was some 25 years ago.

Six years ago, Molly Coy, then director of the Department of Health Services, asked the Center For Health Statistics to work with other stake holders to develop an approach to a unique patient identifier. And, as Cathy McCapry indicated, you will have the good fortune and the good luck tomorrow to hear from Jerry Oliva.

Today you have the bad luck to hear a little bit about this same thing from me, as well as you have a fairly detailed packet of information on what we adopted here in California in terms of our minimum common data set. The issue at the time was one of considerable sensitivity and complexity just as it is now for you. And the issue is not only what to do but how to do it and how to implement whatever we decided to do.

We did look at numbering systems, principally the social security number, but we also have other numbering systems in place here in California and found them wanting for a variety of reasons, many of which Dr. Luft has already mentioned. The approach in California, then, was to develop a virtual identifier or a minimum common data set. And those, there are five core data elements, or seven if you are actually a computer programmer. In that we have chosen birth name, both first, middle and last; mother's first name, gender, date of birth and place of birth. There are also seven confirmatory data elements that are part of our set. And these are described in the materials in actually excruciating detail so I won't go into them. But, in fact, existing numbering systems that are used by a program are part of the confirmatory data elements as well as some others that you would suspect would be on a list such as this.

Now, the reason why we chose what we did was the belief that, first of all, the cooperation of the patient or the client is absolutely essential in identifying an individual. And what we were looking for were things that a client had a pretty good chance of remembering and also that were fairly stable. Thus, we chose not to use mother's maiden name because this is often confusing to various cultures, and in various languages, especially here in California. We chose instead mother's first name because this is not adjusted by marriage and things that happen, particularly to women during their life and seem to be a relatively stable variable.

We also chose birth name, not current name, not alias. Again, something that was relatively stable and, in fact, most people would know and be able to remember. The rest of them are fairly straightforward: Place of birth. In California, we go, if it's a California individual born, then it's county of birth; if it's a United States born individual then state of birth, and if it's a country outside the United States, then the name of that country is the approach that's taken.

We've had a group of staff working for some time to develop specifications for these data elements. And we are now in an implementation process with the goal, actually a mandate, that all departmental programs that currently utilize or collect personal health information, will document and implement these core data elements by June of 1998.

In addition, we are hopeful that other state agencies and departments will adopt this because, in fact, we feel it is of interest to be able to link data and information from mental health, alcohol and drug abuse which are separate departments in California as well as developmental services in other social and human service programs.

I'm not going to go into why we did not chose social security number, but it was really for two reasons. One that Hal mentioned which is we have, in fact, found that social security number through a variety of studies is not a terribly reliable numbering system to uniquely identify individuals in this state. Then the other one is, is the other amount of information, much it sensitive and personal, which is associated with the social security number, which, if linked with health and medical information, potentially could be very damaging to the individual.

We're not sure how this effort that we have embarked upon is going to work. Some of the issues and questions that you, no doubt, will grapple with, we are currently grappling with right now, which is a lot of programs that don't collect this information now. And so, in order to do that, they'll have to change their intake procedures, reprogram their data systems, et cetera.

We also recognize that there's a cost involved in doing this. And that, of course, is one of the issues that will confront you in terms of various state and local health agencies as well as federal programs which will have this as a consideration. There's also the issue of timing and flexibility and things of this nature.

One of the things that we choose to do in our approach here was not to mandate a new numbering system or to mandate changing the way an existing program or locality actually was currently identifying individuals. In fact, our approach has been to build on top of that and to utilize the programmatic numbering system as an adjunct to our work in the area of a confirmatory variable.

And the value of this is both administrative as well as practical and, again, the jury is still out but we think what we are trying to do in California is, in fact, an approach that has merit and we would hope that you would consider this in your deliberations. Other stake holders that were involved in this also included the schools, also included other agencies and individuals who are interested in linking data and information across programs.

A couple other points that I just wanted to make to you, and that is, it's very important to have a very good understanding of what you want to do and how you want to go about accomplishing that in terms of the goals of a unique patient identifier or in terms of the standards for the data that is your mission. In particular, our approach is not one that will one hundred percent uniquely identify an individual despite attempts to avoid our identifying them.

Clearly, as I mentioned earlier, our approach relies upon the voluntary cooperation of the patient, as do most approaches when you really think about it. The other point on this is to think about whether or not this type of approach is going to be used in a real time online case management or clinical type of application where standards of accuracy and accessibility of the information are much more important, as opposed to using the unique patient identifier, the minimum common data set to actually identify an individual over time within a program or within two different programs or to merge two different data sets on a batch type of basis.

These differing types of needs for applying this approach and technology are critically important in terms of the design and development. Again, something that Dr. Luft mentioned that I would like to endorse as well, is that your recommendations be viewed as minimums. And as he very eloquently pointed out, especially in the area of race, ethnicity, and as well as some of the other speakers here, there may well be tremendous needs for states or localities or programs to build upon the recommendations and the minimum standards that you have established with appropriate roll-up provisions so that the data can be combined and aggregated on a national basis.

One of the things that was talked about earlier in the panel that preceded lunch was the issue of confidentiality. And, in my view, it's very important to determine what data is, in fact, the confidential data that you were talking about, either in its own right or when combined with other data and information. And in California the birth certificate is an open record. But it does have a confidential portion to it, where medical and personal information, including the address of the mother, is, in fact, maintained.

And as was mentioned earlier, there are state laws that govern the access and use of this information. This just again illustrates a couple of points that I'm trying to make so if I could just give these to you. I'm sorry I didn't pass them out earlier.

The basic approach in California, we rely on what you call institutional review boards. We call them our Committees on Protection of Human Subjects as well as Vital Statistics Advisory Committee. There's those 3 levels of questions that we ask and are required to examine by our statutes. The first is, does the data requestor want confidential information or personal identifiers? And if the answer to that is no, then we need to proceed no further. And we make our public use tapes available and, in fact, that proceeds quite nicely. If the answer is yes, then the next question that is of great relevance. What is the intended use of the data? Is it to contact the individual? Will it be released in ways in which the individual can be identified? Is it the INS that's asking us for these data?

And, depending upon what is the proposed use of the data then, in fact, a lot of things fall within the requirement of the Institutional Review Board approval and review. And then, lastly, who is the requestor? In California if, in fact, you are a member of the local health department, a local registrar of vital statistics or a departmental employee or, in many cases, a consultant to the department, then this also is a very relevant piece of information and guides us through what was described as a bureaucratic maze in terms of making the data available.

In this way, we are able to afford a significant measure of protection of confidentiality, privacy, et cetera. On the issues of privacy, confidentiality, consent, security and access, in my written testimony we spend a great deal of time speaking to this. And as you have already articulated in your questions of other panel members in your statements, this is a very, very significant issue for you and for the people. Because, as has been pointed out, public tolerance of what we are proposing and what you are considering is exceptionally important. And, as was mentioned in an earlier panel, the issue of confidentiality and access is one which our legislature has been confronted with on numerous occasions, the confidential portion, the birth certificate, reporting of HIV names and infectivity and things like this are very sensitive matters, have tremendous implications for individuals and that certainly cannot minimized in any way.

On the other hand, it is tremendously important that legitimate users have access to these data and the ability to combine the data for purposes as was described by the previous two speakers for research, statistical and legitimate purposes. I would encourage you not to consider, for example, making all data private or confidential or of placing such significant requirements and burdens on persons to access it that, in fact, many of the hoped-for benefits of this federal legislation are, in fact, not realized.

We have dealt with these issues before. You know, the fact that a lot of data now has increasingly become computerized does not in any way change the fundamental equations and fundamental issues that, in fact, have been dealt with and dealt with relatively successfully through a variety of federal and state laws.

So, I just want to mention that as a major supplier of data of vital statistics, health and morbidity and mortality information, these are critically important to both the state and local level. And we must maintain the access and use and benefit of these data as you consider these issues and make your recommendations. Thank you very much.

DR. DETMER: Thank you very much.

What we'd like to do now is open up to some give and take between the Committee and yourselves.

DR. COHN: Yes, Dr. Abbott, I was fascinated by your discussion and actually found myself just sort of wondering about your approach to, I guess, the common core data elements for identifying individuals uniquely. Now, first of all, I was referencing one of your, a piece of your written testimony that talked about the costs of implementing HIPAA, as you described, you felt would be relatively substantial. Now, I was actually sort of curious of what your estimate of costs were for implementing these common data elements, if there was any projections you have or expectations.

DR. ABBOTT: Well, we currently are gathering information now. My estimate would be, if everyone does what we hope they will do, that we're probably looking, just for our department, costs in the neighborhood of 10 to 20 million dollars, with the bulk of those costs being incurred by our state Medicaid or Medical program. Their current estimated is 6 to 8 million dollars to implement the collection of the additional elements to do the reprogramming of the software and to make other necessary provisions to accommodate this.

DR. COHN: Are you comfortable with those figures as being likely what they will be?

DR. ABBOTT: My general experience on data and information systems is they tend to cost more than you originally think. So, I'm comfortable from the point of view of marketing and salesmanship that those are darned good. But when it comes time to, actually implementing them, particularly for the death certificate which will be where, from my own world, I will have a significant set of issues on how to implement this. Then I, of course, might take a different perspective.

DR. COHN: Okay, can I ask one follow up question here? I just wanted to understand from you your comfort in terms of, I guess, the recommendations about this type of approach to a personal identifier.

DR. ABBOTT: Well, you can speak with Dr. Oliva more tomorrow, who is more knowledgeable and has done more of the work in this area. But my knowledge of this is, is that the tests that we've done show them to be accurate in terms of identifying individuals within large data sets to the tune of about 98 percent to 99 percent. Now, whether or not this is adequate for all uses, I can get back to the point that I originally made. It really depends. For most research and statistical purposes, this level of accuracy is quite nice. If it was in an emergency room, you know, clinical type of application, then, of course, a higher standard would be desirable, if not necessary.

DR. DETMER: Bob Gellman then Jim Scanlon.

MR. GELLMAN: I've got a couple of questions for Dr. Abbott and Dr. Lott. At the end of your statement, Dr. Abbott, you made a comment about computerized data and the fact that data was--I'm not sure I quite caught it right--but the fact that data was computerized didn't really make any difference to its confidentiality?

DR. ABBOTT: Well, in part, this is this sort of Orwellian, you know, 1984. 2084, or whatever, you know, concern about government or industry or the medical industrial complex having this access to computerized information which is going to be used to the detriment of the individual.

The point I was trying to make is, yes, computers in some ways probably make breaches of security and confidentiality more worrisome because of the numbers of individuals that could be potentially affected and the range of data. However, the issue of confidentiality of medical information, the issue of negative consequences on the individual has been long with us in the field of medical practice and particularly, public health. It's there in terms of disease reporting. It's there in terms of the birth certificate, death certificate and things of this nature.

And the only point I was trying to make is, is that the fact that a lot of the data and information is now computerized does not necessary change the fundamental nature of the issues and the arguments.

MR. GELLMAN: Well, with at least respect to some data, I might disagree with you. I'm not sure. I haven't thought about this in terms of medical information. I mean, I agree with much of what of just said. I think that was all perfectly fair. But, in some context, the computerization of other kinds of information makes a tremendous difference, especially the things that we've tended to call public records.

The example that I'll use is in Oregon. This happened last year. Motor vehicle license numbers records were always considered public records and available. Somebody took the state file legally, put it up on the Internet and made it searchable. There was a fire storm of public and political opposition to this. This was considered to be some increased violation of privacy. I don't know what exactly. I didn't read all the articles about it.

But when you take information that had been on paper and available in one place and all of a sudden it becomes computerized, available and linkable with other kinds of data, there can be a significant difference in the quality of what you're dealing with. And for whatever it's worth you can, if anyone's interested, you can take a look at the Supreme Court decision and Reporters' Committee for Freedom of the Press, a few years ago, where they said records that were on paper in a certain context in dealing with criminal history records were not protected. These were public records. But when the records were centralized and computerized in one place then their disclosure would constitute an unwarranted invasion of personal privacy.

DR. ABBOTT: I would agree with the fundamental thrust of your statement and, in fact, in California we're trying to deal with that right now, in that California is one of the few open records states related to vital records so that the public portion of the birth certificate is available to anyone. The death certificate is a completely open record. And there are a lot of concerns that are being voiced and expressed, some related to data and information, others just related to impostors, you know, assuming identities of individuals and things of this nature. So it is a very sensitive and complex area I think.

MR. GELLMAN: Well, actually, that was my second point. I was going raise that question about, you know, it may be time to reexamine, you know, a variety of contexts, what we've treated as public. And given the change in technology and change in standards and the risks that, what used to go as traditionally accepted by the public may need to be, I'm not saying that it shouldn't be, but it needs to be reexamined.

Dr. Luft, I am intrigued by your, some of your suggestions in here about approximate values. And I wonder if there isn't some way to use that in another context. In order to do to some of that, you need some fairly highly sophisticated linking capabilities in order to do the linking and then modify the data. Who's going to do the linking? I mean, what mechanisms do you see as available to do that?

DR. LUFT: You mean organizations?

MR. GELLMAN: Yeah, right. What institutions are going to do this?

DR. LUFT: I'm relatively agnostic on that. I don't particularly want to, okay. I like analyzing the data, not linking them. For example, on some data that we're getting right now that require linkage, the data from two different sources are being sent to a third party who has been vouched for by both of them. The linkage will be done, the identifier stripped off.

And then the linked but nonsensitive data then passed on to me to do the analysis. As long as there are a small number of, there's got to be more than one so there's a little bit of competition, but, you know, I don't want anybody to have a monopoly on this unless it's a public agency. But even then, you're not quite sure about responsiveness, that you can have multiple sources that would be able to do the linkage who have no interest in the underlying data. In other words, whose only job it is, is to link the data and then pass it on with appropriate public oversight on the process.

DR. MOR: In the earlier panel, actually, we had a similar kind of suggestion or there were some queries about that. How about issues of quality control? I mean, you're a researcher. I'm a researcher. We get obsessive about how those links work. And at the margin where there's a two percent error or one percent error, you know, Mitch does this all the time. It's that last bit of error which could be highly biasing. How do you, if you don't have a check, how do you know how good the linkage was?

DR. LUFT: Then, under a contract to the State of California, where we've actually gotten the confidential files under contract--you can't use them for any other purpose, obviously--and this was being used for developing, quote, "hospital report cards," where mortality statistics would be made publicly available in an aggregated level.

In doing the linkage on those data, we used a standard that I would say was an order of magnitude higher than what we would require for research purposes. Because the principal concern that I had, as a consultant contractor to the State, was wanting to protect against the report card coming out, the press conference being held with hospital director Jones saying, "And here is Mr. Smith who you said died," because somebody hit the linkage wrong, okay. So we double and triple, and, you know, we checked as many variables as we could and we're very conservative about that. We passed the data back to the hospitals to check, et cetera. I think there are multiple layers of levels of accuracy that you can have. Most researchers do not require it to be that accurate. And I think one can titrate it. And you pay more for more accuracy.

MR. GELLMAN: Well, the reason I asked the question about who does this, is because in the context of both the administrative simplification legislation a couple years ago, and earlier versions, and in some of the privacy legislation, there were proposals essentially to set up linking organizations. They were called various things and various bills. HIPO's in one version or HISO's in another. And these became, you know, sort of like, hey, this is a great idea. Let's set up a way of linking data so we can provide useful data to people that they can use and this issue kind of blew up on itself because people looked at it and said, "We're creating, you know, essentially centralized data banks of data, patient data, that are going to become enormous targets." And that has disappeared from the discussions. And the question is, how do we find a way to do this that balances off the interest yet doesn't raise all of these kinds of privacy concerns?

DR. LUFT: Right. I mean, one example or one way that you can do this, and actually when we link data, we don't put these two great big wide and long data steps together and match them. What we do is we take one big data set of, one big file, with a record, just a sequential number, with the identifier information. And then we create another file from the other data set, and then link the two very narrow but long data sets, get those right with the seven identifiers or however many you're going to be using. We're never having patient-level data from this side or patient level-data on this side. Once you do the link then you can go back and you can go back, if you wanted to, to the two agencies separately. And then put back the patient data with the record number, the sequential number, and do it. So the person who does the linkage actually never sees the patient-level confidential data. All they would ever need to know is that somebody, with the seven identifiers that Peter described, was in the data set. They wouldn't know when or what hospital, what diagnoses or anything else.

Now there's a little level of sensitivity to that but not a whole lot. You don't even need to let them know that this a file of AIDS cases or of births or whatever you state. "Here, these are two files." If you're a big data system, you might be processing a couple of these a week and not even really know what they're for.

MR. GELLMAN: All right. Let me go back to this approximate value idea. We're talking, I've heard another context but I think it's, I just wonder if this can used in a different way. The question came up this morning, I raised the question this morning, how do we distinguish between various kinds of research-like activities that are conducted by different people?

And I'm wondering if, you know, how much of health research can be done using this sort of approximate value idea? I wonder if the people that can do research in that fashion can't be distinguished from some of the other people who were doing other kinds of similar activities but that had a different quality about them? Do you see where I'm headed?

DR. LUFT: Sleezy quality?

MR. GELLMAN: No, because none of the activities we're necessarily talking about. I mean, for example, if I'm doing, if I'm doing, I'll give you a specific example. You give me an example of the research that can be done and with the approximate value, you still get all the benefit of it but the ability to identify people from whatever data is left has been removed.

If I am doing a similar activity where I am not interested in patient identification but I'm doing a fraud and abuse investigation of doctors, I can't do this, because I have to be able to, I can't prove that a doctor committed fraud with respect to this particular patient or on this particular day if I have records that have been changed. I mean, when I end up going to court to convict the guy, that doesn't work. So, I mean, I'm just wondering if there is a way of distinguishing among all of these activities by using, can you do this? Can you approximate some of the values in your data? Is that, see where I'm headed?

DR. LUFT: Yeah, but let me give you an example. I think one of the ways to handle this would be through something akin to institutional review boards. In many instances there could be a standard protocol that would work for most individuals.

Let's say that you had, let me move away from the enforcement question that you had because there you might want to deal with subpoena issues and other stuff. But a very simple research question where date matters. Okay, let's I'm interested in whether patients are being discharged sooner if the hospital is very full. And so I need to know how many patients are in the hospital on any given day, within a certain kind of unit, within a certain diagnosis. And I can do this if I know the exact dates that patients are coming in and being discharged on. And so, I would then say to the IRB, "I can't deal with this jittered data." And they'd say, okay, but we're concerned about the information. Do you care about where the patient lives? The zip code? No. Do you care about the age of the patient? No. All I care about is the date of admission and date of discharge.

So you can now get rid of a whole bunch of other kinds of data that would be confidential or sensitive and just give me the admission and discharge dates. And I lose a whole lot of other sensitive information and, in particular if, and remember when I was suggesting the jittering? The jittering might be better if it's done locally rather than centrally.

So, in other words, if I get a set of jittered data or if I get a set of data and I have to jitter it, and then Mitch gets the same data from California but he has to jitter it himself, no one can put my data up against his and link them any more. And so you provide an extra degree of confidentiality there. So no one could then take my data, compare it to this other person who has real discharge and admission dates and link them and somehow break the code. So I think there are ways in which you could deal with it through an IRB kind of arrangement case by case to see, what is it that you really need here?

DR. DETMER: Mitch, do you want to weigh in on that?

DR. LaPLANTE: Well, I can't really say whether I think that local jittering or centralized jittering has an advantage. But, fundamentally, I do agree with the concept. And, whether done centrally or locally, I think it's an additional protection that does offer what Hal is suggesting.

And, but I also wonder, I think, what Hal was talking about led to this bit of an incipient idea that, is there any possibility that there could be some unit that controls identifiers such that various people who have to buy in or have to get into the system in order to get their information processed, could somehow call up a centralized unit to get an identifier. They would have to give specific information about the individual to get the identifier. But once the identifier is got, then somehow that can be placed into the record stream and the other information can be stripped out. And then, when it goes to the next step in the process such as, for example, somebody's been discharged from a hospital and now is being admitted to a rehabilitation facility, whether that rehab facility, using the patient-identifying information, can then easily get access to an identifier for that person that's going to link those records together. That way the records never have to be linked but the information is linkable across the system.

DR. MOR: That's a very important point. It takes us away from the broad research application but to the point where Dr. Abbott was talking about, what is the reliability of this kind of name sake type system in terms of its applicability for individual clinical situations and circumstances? And, it is my understanding that one major part of the Administrative Simplification Act allows it to have a mechanism where electronic transactions, such as determining and confirming the eligibility of the patient would, whether it's for payment or for what have you, would be part of that system. How would that kind of verification work under this kind of naming identification system? And, obviously, therefore, enable it to transfer information onto the next provider for clinical utility sake.

DR. LaPLANTE: One of the key factors there is whether or not the patient or the client is sitting in front of someone, interacting with them, as opposed to an anonymous type of linkage. Most of the types of situations that I have thought about or discussed that are clinical, usually the patient or the client is directly involved.

Now the patient can be unconscious. I mean, there's a variety of settings but, you know, in a system where you come up with eight possible Peter Abbots, you know, in the computer system and I'm sitting there, you know, someone can rapidly interact with me and figure out which one is, in fact, me.

And so, that's one of the safeguards that I think is present in a lot of these types of applications. The work that I do, since I'm not a clinician, is more in this statistical linkage area. One of the projects that we have that Hal touched upon was to actually link the mortality file with the hospital discharge file. And so that enriched the OSHPED discharge data file by knowing, you know, if, in fact, patients died fairly close to an episode of hospitalization.

You know, false positives or negatives are, you can tolerate some of those in that type of system, as opposed to the type of situation you're talking about where it could be a life or death decision in terms of clinical applications.

DR. MOR: But, I guess, in the system you have based on names and birth date, et cetera, assuming the client is there in front of you, have you done any tests to determine whether that is a superior approach and how many of these checks you have to go through in terms of the secondary confirmatory elements you have to go through to, before you actually have, oh yeah, this is absolutely a match?

DR. ABBOTT: Again, I would defer to Dr. Liba, but, you know, the tests that I'm aware of, using just the five or seven variables, had a very high level of reliability in 97, 98 percent. If you also add to that more of the confirmatory variables, my suspicion would be that your level of reliability would go up. When you start to mix and, you know, you have the problem of missing data elements and things like that, it gets much more complex as you no doubt know.

DR. DETMER: Scanlon and then Simon.

DR. SCANLON: Thanks Don. You all spoke eloquently about the records, health records as a resource for the kind of research you do and the role of surveys potentially, as well. And the mix and survey strategy. In terms of here in California, have you run up against any, well obviously, OSHPED actually facilitates the hospital discharge. This is a data base of all hospital discharges in the State of California presumably regardless of source of payment. Have you run into any difficulty in data availability when you move away from the claims and fee-for-service world and you try to get encounter level data from a health plan situation? Hospitalization data may be less of an issue but certainly encounter-level data; what sorts of problems, if any, have you encountered and is the California state law, I guess, dealing with health information privacy, I guess; does that present any impediments or is it relatively easy to deal with for research access? But the encounter data question first.

DR LUFT: I haven't gone looking where I don't expect to find it. But, on the other hand, we are beginning a project right now where we will link OSHPED hospital discharge data and match it to Medicare enrollment data to be able to look at hospital admissions for HMO enrollees from hospitals that never provide incoming bills. Because we believe they do provide a hospital discharge abstract for everybody, even though they might not send something to HCFA. So that's a situation where the ability to link will actually allow a window into some data that HCFA had never been able to look at. Now we've not gone into the encounterable data.

I am involved in a project where Kaiser Northern California will be collaborating with us. I'm sorry, used to be called Kaiser Northern California, and they--and that will require their running through their encounter files. And claiming information from there.

DR. SCANLON: Do you have difficulty getting, again, not hospital discharge data. That seems to be in relatively good shape.

DR. ABBOTT: In actuality it's just recently kind of sorted out. Up until two years ago the Office of Statewide Health Planning and Development would not make the individually specific with identifier data available to the Department of health Services. And that was a bone of contention that actually required a very small change in statute to take care of. And the issue was one of consent and whether or not data was being used for the primary purposes for which it had originally been collected.

DR. SCANLON: The physician visit data, for example, or Blue Cross Blue Shield data or commercial insured data, do you have any access to that sort of information and how in California? Is it centrally put together in any way or ...

DR. LUFT: A lot of the HMO's in California capitate medical groups and the HMO's don't get any data.

DR. NEWCOMER: We've tried in innate state evaluation of HMO Medicare HMO's to capture that kind of information and, exactly as Hal said, in some cases the plan administers that data and in other cases you have to go to the group to get it and, with any kind of enrollment if, let's say you are working with an employer group, you might have to have a mix of both types of data collection from both the plan and the various medical groups that are involved in serving that enrolled population. So at this point it's a very complicated structure and they've got an independent practice association mix as well as a staff mix then you've got, the complexities is greatly multiplied within that context.

DR. SCANLON: So you basically have to deal with each plan potentially and would each plan have a layer B? That would make this judgment or it varies?

DR. LaPLANTE: On the national level, the National Medical Expenditure Survey, by the Agency for Health Care Policy Research the one national effort that linked survey data with medical records data. And I'm not aware as to how successful the linked medical records are with that effort but I know that there certainly were problems. And there is a lot of imputation. And I think one of the, you know, one of the fundamental problems is that the plans, you know, are not in the position to make their data available in a, you know, linkable fashion. And you really do have to go through lots of, through a lot of effort in order to have that occur.

DR. SCANLON: Is this proprietary issue for the data or is it the, one of just logistical, the data is not there or both?

DR. LaPLANTE: I think it's both. I think a lot of it's logistical but it's also a situation that is changing or can be changed. I was on the Technical Advisory Panel for the Washington State Risk Adjustment Project where the State of Washington is trying to deal with risk adjustment for its enrolled population.

And they came up with a risk adjustment methodology that would ultimately depend upon diagnoses from inventory encounters as well as in patient claims data and some of the health plans said, "We can't provide this this year or maybe next year but we can get it in a couple of years." And, as I recall, there is, in essence, an agreement to move ahead with it and those that didn't have it would basically be treated as though they had nobody who was high risk. So they had clear incentive -- to get their data and my guess is that it will happen.

DR. DETMER: Simon, Lisa and then John.

DR. COHN: I really appreciate the discussion. It's nice to be back in the world where people understand capitation. And the East Coast. However said that, I do, would disagree somewhat with some of the comments made about the, that there is such little data in HMO environments, I think, typically, it may look a little different but certainly things like HEDIS and NCQA requirements are really driving a lot of very important data collection efforts. Even in an environment where you don't have typical encounter information. Now having said all of that, really the question I had was for Dr. Luft who, I was actually as fascinated by your views as evidence in your written testimony around coding systems and classification and sort of the lack of interest in those issues. Now it has been one of the committee's, I guess, concerns, issues that we have talked about over the last while about coding systems, one versus another, what's preferable what's not, single procedure coding system versus multiple coding system, and I was actually surprised as to what, you said yourself, someone who has dealt with data so much that this does not even seem to be an issue for you. Am I mistaken about this?

DR. LUFT: No, it is so large an issue and so technical an issue that I didn't want to get into it.

DR. COHN: Okay. Is there anything you would like to write us in regards to that?

DR. LUFT: No, it's something where, I mean, I'm an economist. I really don't understand what these tests are, what the procedures are. I'm not, I'm not competent. I know I'm not competent to really get into the level of detail that the health information people, that the clinicians are involved in. I mean, I will talk with my colleagues and solicit their advice but it's their advice not mine.

What I want to do is make sure that the people who really understand the variables, who understand the clinical issues, can have a set of codes that really represent what they think is going on. And I found that very interesting at a meeting I was at recently where people from, this was a public meeting, okay. People from Kaiser. Indicated that they, essentially, did a survey of a number of medical centers and found that the cardiologist did not agree on what an MI was, on when you should code a patient as having an acute MI. Basically dependent upon whether they, you know, considered this only or not and that had to get worked out within the organization. But I have no assumption that cardiologists elsewhere are more uniform. I suspect they're even more variable. Now, you know, I just look at it and say, gee, 410. You know, I'd like the cardiologists to work it out first.

DR. IEZZONI: I have two questions for the man who had talked a little bit about disability. First Mitch LaPlante, you had talked about ICIDH. It's the first time we had ever heard those initials given in these hearings, I think, from somebody voluntarily bringing it up. Does it, well, no seriously, does anybody use ICIDH in the United States for anything that any researchers use?

DR. LaPLANTE: Well, yes. There are many people who are using the ICIDH I think. Gretchen Swanson will be talking to you tomorrow and has some experience using the field of rehabilitation.

DR. IEZZONI: Now in what context on rehab? Okay.

DR. LaPLANTE: The simple things to know about the world health organizations ICIDH's; first of all, it's a framework distinguishing impairments from disabilities from handicaps and handicaps are really more limitations in larger social roles such as working or being a parent or today's voting days so being able to vote and so forth.

And the classification attempts to offer codings for the three domains: Impairments, disabilities and handicapped. And the classification is evolving. It's being revised. It's not perfect. And does need some attention given to it in terms of scientific reliability and validity. But some of that work is going on and being conducted by WHO so I think it is improving.

Whether or not that's the best classification to use for these purposes, I think, is debatable. It has a hell of a lot of detail in it and probably far too much for the purposes we're talking about here. So there are certainly things like activities of daily living or instrumental activities of daily living, various skills of functional performance. These things, I think, are the items that probably have to be in this system in some way because they are so crucial to looking at them as predictors of health care utilization as well as they are very often used in terms of eligibility to go from one part of the system to another.

So if you go from hospital, acute hospital discharge into nursing home situation, we would expect to see that there is some presence of limitation on activities of daily living. So I don't recommend the ICIDH itself. I recommend you look at it. But there are a variety of other types of scales and there is, there may be some role for the committee to review those and maybe come up with a sensible minimum set of disability items to consider.

DR. IEZZONI: Okay. My second question, let me lead off by saying, I found myself as a person with a disability beginning to conflict within myself as a person who is a health services researcher. Because to be honest, Dr. LaPlante, as you started talking about doing small area geographic, you know, type of work and you started talking about looking at people with rare conditions like Cerebral Palsy and Spina Bifida I was thinking, Oh, my God, they're going to find out exactly who those people are even if they don't have the name and address and so on. You know, it becomes identifiable information based on the rarity of the patient's condition. And so, you had said at the beginning of your testimony that in a way you are here as an advocate for disability community and research. Could you, maybe along with Dr. Newcomer, talk a little bit about how you think people in the disability advocacy community, who you must know intimately, might feel about some of the confidentiality issues that we've been kind of touching on in the discussion over the last hour.

DR. LaPLANTE: Well, first I'd say that I think confidentiality is a paramount concern and I would sacrifice the ability to generate a prevalence estimate if it meant that somebody is going to be identified as a result of that. And I'm used to the regulations that the National Center for Health Statistics has applied to the national health interview survey, for example, where essentially they don't release information that applies to populations of less than 200,000 people. And whether or not that's, you know, an appropriate concern here, I think there needs to be, there needs to be, it is an area of concern. It needs to be evaluated. Obviously, in a population of 50 if you identify someone with a rare disability then you know who that person is. And that probably shouldn't be done.

I think that the disability community would have very strong and legitimate concerns over this. Yet at the same time, those have to be weighed against the issues of under service and lack of access to appropriate rehabilitation to appropriate levels of assisted technology and the environments that people with disabilities face in their communities that precipitates disabilities and increases their problems to live independently. And I think it's really for that goal that I think this data is valuable because that can show us, it can give us ways to estimate the size of the population in various areas of the country and disability varies tremendously. The 1990 census shows the three fold variation in the rate of disability from state to state, with the northwest states being the lowest and the southern states, of course, and the Appalachian, Mississippi Valley states being the highest. But that's, those are three fold rates of disability and I think edemiologically that's highly significant. And it suggests that there are, there is certainly a greater need for greater services in the Southern areas where the disability prevalence is higher. And data such as this can be mobilized to explore these issues further. So it is a trade off between a larger need for better information and while doing that without unduly subjecting the confidentiality of anybody.

DR. NEWCOMER: I guess, let me amplify one part of that and give you another twist as well. The, I think, goes back to an issue that was raised earlier is who wants to know and why do they want to know? If, to the extent, that we're trying to identify living situations that are producing harm to the population, whether it's a licensing facility or unlicensed facility, or living with your own family; that's not research data. That's regulatory data and I think we would want to have as much information as possible to link a problem with the source of the problem. From the standpoint of research, you do have the problem of small samples sizes, usually in terms of prevalence, so that aggregation would be an issue. And I think there you could generalize to the kind of setting or the kind of community that you wanted to be evaluated so that it could aggregate up for very quickly and I think obfuscate the confidentiality issues. From the standpoint of the national surveys, we thought this wouldn't be an issue at all. I think it's still a question of how do we appropriately identify and what standard do we use for defining disability?

DR. DETMER: And get some commonality across the data systems so that even if they don't link data across them, we, at least, are talking the same prevalence estimates or same measurement as we approach that.

DR. LUFT: And I just wanted to add a point because I know there is at least one attorney in the room. And we've been talking about confidentiality with respect to data that researchers get to do their analysis. What I actually worry about is, when I get some data that might be down at a very narrow level, where there might be some concerns about confidentiality but I'm not going to be looking. I'm not going to be matching anything. I don't know who lived in that community, et cetera. And I'm only interested in generalizable results across a large number of observations. But then I worry about, what if somebody comes in with a subpoena? And asks me for those data? What protection do I have? Will the university say, "no, you can't have this"? Does it matter if the study was funded federally or not? And I think one thing that, you know, perhaps might be considered is if the data were given to the researcher under agreements of confidentiality through an IRB et cetera then some of these same protections should protect the data from subpoena. Certainly it should protect it from somebody who's undertaking a fishing expedition.

Obviously, if there is fraud or something else that's been alleged in terms of the analysis then one ought to be able to look at it. But I think that might be something that would be worth looking into because I, as a researcher, could lose people for that and I think that's a concern.

DR. LUMPKIN: Well, first let me echo that concern. Because one of the things that I think we have to address on a national level is that what extent, if we do have preemptive privacy legislation, to what extent do we have certain things and certain data bases that currently are very highly protected by the states? For instance, in Illinois our communicable disease data bases are protected from any source. They can not be subpoenaed by any court. Now to what extent would some federal legislation preempt that? But the issue that you raised, and I think it's probably one that we need to look at is, do you create a loop hole by now giving a researcher the data? And that data is no longer quote "within the purview of the keeping agency." And is the standard of release the same? And I think that's something that bears some further looking at.

DR. ABBOTT: I have a question and then a comment. First the question has to do with the one that we gave, that you gave us here, Dr. Abbot, which was, on your first one does the request involved personal identifiers? And it gets back to the small cell size. Is it safe to assume that you do some analysis on small cells? You don't release data, confidential birth certificate data when there may be small cells?

DR. LUMPKIN: That's correct. We have rules for that. Because our state does too and I think that's an important consideration that it isn't just a, "well, no, then no review is needed." I think that there needs to be some concerns about small cell size data.

And then secondly, and then the comment I want to make is that Illinois has been using for the last couple of years a system very similar to what you described for our maternal child health data set. And I think we need to explore a little bit of the difference between a system for identification and we'd had some presentations of master patient indexes. Which may work in a circumscribed system but don't necessarily work as a identifier as much as it's an identifier system.

And I'm not sure that your system is an identifier because of the validity 80 characters long. As opposed to an identification system for a client who is there and I think that creates some limitations when we start looking on the national picture. Is that a fair statement about your system?

DR. ABBOTT: If I understand what you're saying, I believe so. One of the concerns that has been expressed by people that we're trying to convince to do this is, you know, why don't you just have a simple numbering system? It would be so much smaller in terms of field length, et cetera, as opposed to the minimum comment that as I tried to explain in my presentation, it has to do with other aspects of the, you know, being able to collect this and how it's used and things like that. And, again, we've tried not to disrupt an existing programmatic identification and numbering system if that was, in fact, in place.

DR. LUMPKIN: And, in fact, what we will do in Illinois, we do generate some of that and we generate a sound indexing type system, algorithm system to create a number but it doesn't work without the identification system because it isn't always a unique number.

My last question really is for Dr. Newcomer and has to do with the issue of people who live in these conjugate living facilities, long-term care and other types of facilities. One of the issues that we have to address is related to code sets and procedure codes. In trying to get a better handle on what's going on in either a regulatory sense or a monitoring sense or whatever, do you see the need to go beyond a standard procedure codes that we've been talking about? The CPT 4, ICD 9?

DR. ABBOTT: It depends where you, where you would be collecting that information. What I presented to you was sort of a quick fix, easiest and lowest cost option which is not to collect data directly in the facility, but rather collect it at transition points in the delivery system and use it as a, basically as an indicator to suggest that the prevalence is increasing or changing in terms of how they're coming into, let's say, hospitals or nursing home placements or whatever, so that you'd have a barometer. But there needs to be a data system presumably within these facilities that would capture more immediate information about functionality and cognitive status and things like that.

Whether we want to replicate the minimum data set, the nursing minimum data set into residential care facilities is an arguable question and some on this panel would argue stronger than others about that. But that's, I mean, there are long-term care systems in every state that are, some of them are beginning to finally collect intake data and assessment data for all aspects of the long-term data care system which, to the extent they're extending their role to replacement or reviewing the monitoring and placement of the people in residential care, is already producing a data set but again, that's not uniform and it's certainly not ruling out with equal speed in every state or every delivery system.

The more Medicaid dollars expand into providing benefit into residential care and group housing settings, the more we'll be, the incentive will be there to put procedure codes and other kinds of data into these systems. At the moment they don't exist to any great extent so to me that's like a second or third order kind of complexity.

I would settle right now for having an indicator system that's telling me who is coming out of that system, out of group housing situation into our health care system at this point. And, is there anything in there that would make me worried about the quality of care, the quality of health care happening?

DR. LUMPKIN: But the health care encountered would be generally captured by a home health agency based system for those kind of services that extended to the medical treatment?

DR. NEWCOMER: Medicare is moving in, or Medicaid is moving in and a lot of states are using that model of, when you need skilled care to bring a third party vendor in, to the extent that's occurring then you could pick it up with Medicare or with a hospice kind of thing, things like that.

DR. MOR: There are these residential care facilities in Illinois and all across the country. They have no provider numbers in any way, shape or form except in those states where they are allowed to, like nursing homes, be billable under some kind of demonstration program. But that's a daily or some kind of a monthly rate. An institutional service, not a procedure, CPT, or what have you. There is no such system whatsoever like that in place in these residential care facilities.

DR. LUMPKIN: Yeah, but Illinois is just a different case because we haven't quite gotten to the point of identifying that.

DR. NEWCOMER: Third party vendors do come in and provide skilled care of various types and in those situations there would be a procedure. There would be a bill. The issue is whether it would be linked back to that facility in any particular way.

DR. LaPLANTE: But the conceptual issue that we're trying to, that I'm trying to address is the extent that we recognize that this is a new and developing mode and there is more and more concern. If we capture the kinds of procedures that are done in a home health type of environment then my assumption would be then we would then capture the procedures that would be done in this facility and that the challenge in the future would be to link these procedures being done with the location rather than saying that we are now moving forward with a procedure code set that will be inadequate for this environment.

DR. LUMPKIN: You would need to link them, a home health procedure codes will not capture the majority of care that's rendered in these facilities, at least by definition it wouldn't. They're not intended to be skilled care facilities. So that, what we're looking at is personal care of various types, special diets, certain kind of exercise possibly and just your basic assistance with activities of daily living. Those would not show up under normal circumstances in our home health procedure code. And we've got the additional, except this incidental, this incidental is skilled nursing. So that the vast majority of cases would not be producing data unless we're, somehow the facility is submitting an unbundled bill and as Benson has said, there is, most of the time they're getting paid on per diem basis or a monthly rental basis.

DR. LaPLANTE: But I think what we're trying to tease out is not whether or not they're not coded, but whether or not the coding scheme is incapable of capturing them. So if someone were to choose to unbundle would there, in fact, be within that scheme adequate places to code these kinds of care? Or do we, in fact, envision that a coding system that may be inadequate in the next three or four years has more of these facilities get licensed by states and enter a more regulatory environment? And start getting provider codes.

DR. LUMPKIN: You will capture a lot of the data that you wouldn't capture, I don't recall that you may not, what you don't capture may be trivial in that sense. But the bigger issues is that you would only be capturing for that portion of the residents who were quote "getting that qualified benefit" at this point.

DR. LaPLANTE: Well, I think the CPT codes do capture a lot of rehabilitation and I think some of the, what we're discussing as related to the provision of rehabilitation and these kinds of facilities, I would urge some consideration be given to classifying rehabilitation as a separate type of encounter. And this is a real murky area throughout our whole financing system.

And it's partly made murky because of the exemption that rehabilitation has gotten from DRG treatment. And I think at some point that needs to be addressed and solved. So I think consideration of classifying encounters as to rehabilitation and what that would do essentially is, I think it would, it also begs the question of whether, whether these other types of facilities would also be part of this classification or not. For example in the smith and in the hospital discharge survey of California there are three levels of care. There is acute smith and rehabilitation.

And all the hospital discharges submitted in California now have to pick one of those levels of care. So that really helps to make it less ambiguous that somebody in a smith is receiving rehabilitation as opposed to merely getting custodial care because many providers provide multiple levels of service. In fact, many providers provide all three levels of service. And unless they're asked to unbundle these services specifically, it's really hard to figure out what kind of care this person is actually getting.

I think it would, I'm not sure in a billing system such as this how much it can do with identifying group housing situations. Particularly, you can do something for those that are, for those at our facilities. Some of the some of the congregate living situations aren't really classified as, or certified as facilities and that's another issue.

DR. IEZZONI: Could I follow up on that, Don? Just one really quick question. Do either of you have a recommendation for coding systems for durable medical equipment? Do you have a system?

DR. LaPLANTE: Durable medical equipment? As opposed to assisted technology?

DR. IEZZONI: You tell me what the distinction is.

DR. LaPLANTE: Well, there are classifications of assisted technology. And the International Standards Organization has a classification and there is, there is, I just know vaguely of a project that the, that North Carolina, I believe, that's looking at a classification system in the United States and that's for the Assisted Technology Act which funds states that come up with comprehensive plans for delivering assisted technology. So there are those two. I can dig out the North reference for you.

DR. IEZZONI: That would be great.

DR. LaPLANTE: But durable medical equipment is, has a -- somewhat separate, its separateness really just involves those kinds of medical, those kinds of assisted technology that funders, providers typically consider as medical. And they ...

DR. MOR: Thank you.

DR. SCANLON: Two points. The National Health Interview Survey which I think you're familiar with, all of you, actually took a different tack in terms of identifying services, estimating services received by disabled individuals living in the community and it's really a survey approach where rather than the site of care, the approach was basically to follow a, to interview cohort of individuals so when the sample indicated they had some limitation or some disability. Now that obviously doesn't lead to a classification necessarily but it does describe the range of social and nutrition and other services that people at least report receiving. They do have limitations as well.

DR. NEWCOMER: To the extent that it, what it did it did fine. The problem was that it excluded a large portion of the support of the housing population.

DR. LaPLANTE: We actually have a report that provides prevalence estimates of assisted technology of the Health Interview Survey so they're interested in that idea.

DR. SCANLON: The second point was the idea of protection of research information. And, you know, there are a couple of examples. I'm starting to think of where this goes. The U.S. Department of Health and Human Services actually can issue certificates of confidentiality for research data.

So, if you have a particularly, it's normally your super sensitive type subjects where there is a threat or where the release of the information would even do more, potentially more harm to the individual. For those kinds of instances, and this is not limited to federal funding, this would be any legitimate research project. One can apply to the Department of Health and U.S. HHS and receive a certificate of confidentiality that theoretically would protect your information from even subpoena.

Now, I'm not sure whether we've ever been tested. I mean, we've never been taken to court on this but; theoretically, and that's literally what you need. You need another law to protect that information. You can't just say, "we won't release it" unless you have some way of actually following through on that. And, again, I'm not sure what courts would do. So it's tricky.

DR. DETMER: I'd like to give each of you an opportunity to make a wrap up comment and we'll take a break here in a bit. This has been a long stretch but I appreciate your patience and concentration. It's impressive. Dr. Abbott.

DR. ABBOTT: As I think about it and the discussion and in the give and take, I really don't have much else to add. Again, I think that the issue, one of the things I failed to talk about was, where data should repose and who should guard it. And in California our approach was not to create a central warehouse or a linking facility. And the belief was that the existing programs that individuals, well, some of proprietary in their point of view of data that that was beneficial. And part of the sets of issues that we're dealing with is, as we have tried to get people to accept this, there was a distinct fear that they'd be forced to share data when they didn't want to share data. And part of this was to say, "No, no, no. That's a separate set of issues."

I mean, just putting unique patient identifier in a data set does not mean that anyone, whoever gains access to that or share it, unless, you know, agreements are made and it is all, thereby, worked out. The other point we've grappled with is the issue of consent. And especially as it relates to public health. And our legal staff had advised us that good consent is very specific. You are able to tell the individual all potential uses for which data may be put. And the reality of public health is, at least, in a significant number of cases, we don't necessarily know that in advance. And since a lot of data is used historically or longitudinally over time this has been another vexing area for us. Thank you.

DR. DETMER: Thank you very much.

DR. LaPLANTE: I think I've mentioned everything that came to mind in terms of content of this system and consideration of disability and rehabilitation. But it seems to me that there has been a lot of discussion of linkage and a lot of discussion of how people link. And a lot of that is done retrospectively and, you know, I think you have an opportunity here to think about linkage in a forward fashion rather than in a backward fashion and just encourage you to think about that. Because it seems to me that that might offer some unique opportunities and since the project that we have here is so large, there may be some interesting new things that can be done. And, you know, I think we invented the social security number as a way of keeping track of peoples' Social Security benefits, for example. And there may be some opportunity to define things in slightly different ways that make linkage of health data easier.

DR. IEZZONI: Your comment, I think, is very helpful. Ed Sondik wants to see, in the national center, wants to see this group really look through some forward issues so I would encourage you also to keep an eye on that and input into that process if you would because obviously we need help.

DR. LaPLANTE: I'd be very interested in seeing what Dr. Sondik has in mind.

DR. LUFT: I just wanted to underscore the comment that Peter just made. Which we've been focusing a lot on the value of being able to link data for various research purposes. But that does not imply that it need all be out there linked in one big data system and put on the web like those license plates in Oregon.

On the other hand, I think the mechanisms that you need to go through, having agencies comfortable talking with each other. Having the review processes set up. Actually most IRB reviews are done before proposes even are submitted for approval. And for funding. And then the mechanism ought to be designed so that it works pretty well but there are at least a few humans beings who see this proposal coming through and say, "Wait a minute. I'm a little concerned about what they're going to be doing with that." Or, "Are the safeguards there"? And I think that's appropriate. I don't think that will halt or unduly burden legitimate research and it may bring us a long ways towards avoiding the kinds of things we tend to be concerned about and that can blow up in the face of good people trying to do good things.

DR. DETMER: Thank you. Dr. Newcomer.

DR. NEWCOMER: Thank you. Having an earlier stage in my life worked for county government and having gone through the circus of trying to come up with uniform assessments and all other kinds of things where agencies had to agree on terminology and language and there is still, 25 years later, still having some of the same conversation. I'm a little skeptical, I guess, of moving too much beyond Social Security number or something like that. But the main point I'd like to make is that, we often think of data systems as having to be universal and I think we've learned something from the public health process of surveillance systems and disease registries and local sort of market or catchment area type studies.

And, I think, one of the things that you might want to consider with this is to pick a sample within states that's a meaningful sample for that state that might be trackable in the sense of, how well are these systems working? So that you don't have to, you can pilot it in terms of the amount of staff time it will take to get everybody working on the same page, to what kind of cooperation you're going to have to come up with. And just get a few computer systems to talk to each other rather than every county or something like that. And I think it would make it more feasible but also I think you could give us the kind of public health systems that are probably going to be sustainable over the long haul as opposed to systems that will either come and go or the inertia will just pull them down before they ever get a reimplement.

DR. DETMER: Some of this discussion is reminding me of one of my surgical matters. In nature nothing's free. But at any rate I think we are here to struggle with these things. At any rate, thank you very much and we'll take a 15 minute break.

(break taken)

DR. DETMER: This--I'd like to call us back to order--this is a panel on public hospitals, community health centers and academic medical centers, and we're delighted to have three panelists with us. My understanding is that Shahla Yaghmai is going to go first, and then we'll hear from Dan Essin, and then Ted, if you don't mind batting clean-up, that would be great [laughter]. So, Shahla, thank you.

MS. YAGHMAI: I'm Shahla Yaghmai, Los Angeles County Department of Health Services. I work in the Information Branch, it's at the headquarters. And for the last five, six years, we have been trying to develop a centralized database. So I'll give you a background about that, you know, L.A. County in general, in terms of that, you know, some of the hardship that you, I mean, we're suffering from at the time that we are going through, and some background if you're not familiar with Los Angeles County.

Los Angeles has, currently has more than 9.4 million patients, I mean, population of the county, and by estimated, you know, by the year 2000, we're going to have more than ten million in terms of population of Los Angeles County. And the health care system operated by the Los Angeles Department of Health Services is the second-largest in the nation. And the county is really a health care safety net for the indigent population in the county. And I don't know if you're familiar with it, 1115 waiver, that county got about two years ago, Los Angeles County DHS6, to increase access to ambulatory care services by 50% and to decrease in-patient care by 40%. And this is one of the restructuring that the L.A. County is going through at this point of time.

Currently, Los Angeles County system includes six county hospitals. We have six comprehensive health centers. We have 26 publicly-operated health centers, eight privately operated health centers, five jointly operated health centers, and 72 private community centers. So you can get the picture of the complexity of Los Angeles County in terms of providing care and, also, something that as a note -- well, I should mention that each of the facilities, each site, they have a different system, computerized system, you know. They have the HIS, some of them, they're trying, the county, to use the same hospital information while the financial system is different, while we have the claim processing system is different. I mean, that one of the challenges that we have to face, and we've started to set up a centralized database at the headquarter, was to capture the data from all, you know, heterogeneous group of system, as well as to be able that, you know, linkage, I won't get that--because, you know, he got through it in the last session. And one of the things that we have to do is just to be able for the strategy planning to one of the interests that county has, the patient movement from one facility to another facility. So that was, so there is no unique identifier across the facility run by county. So that's one of the challenges that county has been facing for the last few years, to assign a unique i.d. across the facility, and just to keep track of patient movement.

Just to give you a flavor of the different type of standard that we are actually, some of them, they are using it, but if you see that, you know, we made a list of a clinical standards, if you look at it, you know, you have clinical diagnosis, you have ICD, as well as, you know, DRG. So that doesn't imply that, you know, we are capturing, you know, the ICD codes for all of our patient population. ICD codes get captured for, you know, for all of our in-patients. Some of our hospitals, they have it for outpatient and emergency room services, not all of them, they're coded, you know, because of the cost involved and other issues. So these are the, just to give you a flavor of different coding being used by Los Angeles County facilities at this point, and also in terms of the procedure code, and a note that we are using, you know, all of our inpatient services get coded. But you have to keep in mind that we use a mixture of ICD procedure code as well as CPD procedure code. And it depends on, there is a set of rules that for what procedure we are using CPD, at what point we are using ICD procedures. And there are other set of, you know, actual coding schemes that is being used, you know, for example, we are using NDC code for all of our drugs. I mean, that's something that is a given across the facility, but it depends on how detailed that the prescription information gets captured. If you look at this heterogeneous.

So L.A. County has always had interest in terms of setting up standards. But in terms of, also in terms of being an advocate of standards, we have been, but implementation is a different story. When we got this [some kind of regulation] of 1996 and we went through it and we reviewed it as a group, you know, we looked at it and thought that is a very ambitious, you know, task to be able to implement it within two years, and just to come over, and just to see that, you know -- and in terms of one of, if you look at our testimony, we have a list of concerns in terms of actual implementation. Los Angeles County does not have resources to comply to [some regulation] because of the fixed revenue. We have a deficit of, for this coming fiscal year, it's estimated at $123 million. So we are actually, any significant changes in operational procedures, system modification, will impact patient due to limited budgetary resources.

In terms of electronic data interchange, it has been in use in financial and commercial application for quite some time. But in the use of technology for patient-specific application, still leaves concern about the data security for Los Angeles County. We have a commitment to patient privacy and confidentiality, and that commitment can be compromised by this legislation. Obtaining resources qualified to address implementation and ongoing maintenance requirements are issues that could impact implementation timelines that has been outlined, which is two years, within two years, everything to be implemented.

We have a list of recommendations. One of them is that, you know, to implement a pilot program to identify that this approach is measurably cost-effective and efficient in achieving administrative simplification goals as stated in the, you know, because I think that, I mean that we believe that if, you know, you want to implement this thing nationwide, it's a lot of issues that's involved. I mean, we have to consider that, you know, that if it's workable in a small pilot, we can attempt to implement it nationwide.

Provide necessary financial assistance and incentives for implementation of the required changes to the information system and operation of procedure and policies.

Establish a reasonable timetable for nationwide implementation because, based on what has been stated, based on our past experience implementing standards within L.A. County, within just a small group of, you know, systems that we are in charge, it has been almost impossible. We are trying, I mean, you know, so we don't know that [hard]; it depends on how well it can, you know, be in force. So that's Los Angeles County.

MODERATOR: Thank you, Dr. Yaghmai.

DR. YAGHMAI: Thanks.

DR. ESSIN: I'm Dan Essin. I have several hats that I wear. One of them is the Director of Medical Informatics at the County USC Medical Center. Another one is I'm one of the physicians that's frequently involved in headquarters activities, which is I guess why I got tapped on the shoulder to come up and visit you. I have an appointment on the faculty at USC and do some other things as well. My primary interests over the years have been in computerized patient records and in data confidentiality and security. As other people have been giving you a disclaimer, I will give you a disclaimer and say that if any of organizations that I just listed disavow anything I say, I'll take personal responsibility for it. [Laughter, applause.]

My interest in computerized records goes back into the early '80's. And the primary motivation for this has partially been that I could never read my own handwriting, nor anybody else's, and I desperately wanted to know, when I was taking care of a patient, what had happened previously. And I think that that interest and concern is shared by all practitioners and by most of the administration and the support people around a facility.

One of the concerns that we have, and I think those of you who are in a private setting and maybe get to read the Medicare Part B News Report that comes from the fiscal intermediaries are more familiar with some of these issues than I am, because I only get to see that occasionally, but I'm always amazed to see the regulations that come out that pertain to preparing a claim. And I'm bringing this up because a lot of emphasis has been put on using claim data. If you look at what goes into preparing a claim, it's hard for me to understand how you can use claim data for anything, except paying the claim.

I mean, the regulations say if you perform Service A and Service B on this date, even if you did Procedures X, Y and Z, don't list them on the bill because they're deemed to be covered by the global rate for Diagnosis A, therefore, we don't want to know about it. So that's the data that's flowing in on claims. It was constructed specifically to be a claim, it wasn't constructed to be anything else. The organization that constructed it probably paid extra. We already paid somebody to write it on the chart and maybe, if we're lucky, put it into a computerized patient record. And we paid somebody else, or some system, to take that data out and essentially, I'll use the word "fabricate" because that implies construction. [Laughter] To fabricate--

Dr. DETMER: Now we understand your disclaimer -- [Laughter].

DR. ESSIN: Okay, to construct this claim which is going to be submitted. And everybody knows there's this "gentlemen's agreement," or maybe that's not the right term--there's a "gentlemen's agreement" that we all know that what's on a claim isn't really what happened. We know that if we're working up the patient for a problem that's not yet clarified, that's that not on the claim. We know that if we have a tentative diagnosis, that that's not on the claim. What's on the claim always appears to be fact. Now the fact may evaporate two days from now when we get the lab result back, and we know that that throat culture was negative, but today it's a strep throat. Because there's no mechanism for reporting why we're seeing the patient. So I don't personally think the claim data--and I don't have a problem with claim data if the objective is to play some finance game and everybody understands that this is the way we're compensating you, but we're cutting back on how much we're compensating you and we're understand that there's an overhead an inefficiency built in the system -- and if everybody wants to agree jointly to play that game, that's fine. But I don't think that that's data for any other purpose, other than the purpose that it was collected for.

Now when we're getting cut back, okay, we're making great efforts at collecting meaning data about our clinical encounters because we don't see how we're going to restructure ourselves unless we know what's really going on. And for us, it matters if Doctor A is able to make the diagnosis of whatever it is the first time he sees the patient, and Doctor B takes three visits and 200 lab tests, we'd like to know that. And we won't know that, or we'll know that easier if the data that we've recorded on the visit, you know, is hopefully, hopefully is real in counter-documentation, and just documents the process that Doctor B is working up the patient and Doctor A knows what the problem is. And that's what we want. And it's going to cost us extra, and it does cost us extra, to the extent that we bill. To take that real data and turn it into this other stuff.

I'm concerned about this for another reason. It has to do with the confidentiality and security. Right now, even right now, when that data can leak out of the claims processing channel and adversely affect someone's life, if someone in the claims processing area sees a recognizable name go by on this 1500 form that says, you know, HIV, even though it's just a routine test or something. Everyone in the world is going to know about that. Now, if you, if the physician had been able to put down "Well, you know, I'm working up the patient for sort of nonspecific aches and pains," that wouldn't have been of any interest. No one would have, even that had a prominent name, no one would have pulled that out of the stream and said, "Gee, world," you know, "O.J. Simpson is being worked up for nonspecific aches and pains." I mean, that's not news. But he got an HIV test, that would be news.

So I have a second problem with putting not maximally accurate data into the channel. Because later on, people forget where it came from and they forget the fact that it may not have been meaningful. And if I offend any of the vendors of, who are building clinical reposi--so-called clinical repositories by slurping up claim data--I don't want to look at that as a clinician because I don't know what to make of it. None of it collects that detail that's behind the scenes that lets you drill down and tell whether that diagnosis of strep throat was actually linked to a confirmatory positive throat culture, or whether it was just something that somebody put down to justify submitting the throat culture.

So once that stuff is in there and its connection with reality is more tenuous, someone is liable to discover that and forget why it got there that way, and assume it means something. And you can come to all kinds of conclusions about that, at the patient's peril, if nobody else's.

There's another thing about confidentiality which I'll get back to in a minute. I want to make a comment about standards. I'm a big fan of standards. The thing that seems to me most important about standards is that people conduct their lives and their business activities and their documentation activities in an orderly fashion. And I think that, I know that Kathy, at the state level, has been trying to get a translation engine available at OSHPED so that she'll be able to translate a facility's set of orderly codes into the codes into the codes they'd like to see without forcing every facility to necessarily use the standardized set of codes.

Any organization that conducts its data life in an orderly way can transform its data into another coding scheme. So one of the things that I would think would be the most important to encourage, would be that people adopt systems that are capable of supporting codified stuff, rather than big blobs of narrative. I mean, big blobs of narrative are real useful to doctors taking care of patients but they have almost no information content that's sufficiently quantitative that you can analyze it and aggregate it and do those kinds of things that everybody wants to do for health policy research.

Once you've done that job of getting orderly data, you know, then the process of turning it into a [snomed] or UMLS or ICD89 code is relatively trivial and, in fact, the cost of that could even be borne by the organization or agency that says it needs to have the data. The problem with forcing, you now, or coercing people into adopting standardized codes is that it forces everybody to withstand the expense up front, even though that data may never be used for the sorts of things that caused it to get encoded in the first place. So if you can defer the cost of the translation and perhaps allow it to be absorbed by a grant, or by the funding for the research project that wants to do the analysis, I mean, from our standpoint, that would be a big plus for us, because it would give us a way to defray some of the administrative overhead costs which right now we don't have a good way to cope with.

The big problem I have with confidentiality was really pointed up by watching the hearings for the confirmation of the new CIA chief a couple of weeks ago on TV. And the question that came up there was dealing with secondary release of information. It was touched on by some of the other speakers. There's primary release of information, which means that an authorized individual accesses a system and gets at the data to which you've granted an access. Secondary release is whatever that person does with that. The clerk that sees O.J. Simpson's test result going by in a laboratory is authorized to see that. The thing they're not authorized to do is to tell their friends, okay? The protection that we put place now to prevent secondary release, is we put a policy on the wall that says "don't tell your friends." It sits there. It looks down on people telling their friends. It can't do anything, it can't protect--it's not proactive.

One of the things that suffers first when you start restructuring organizations and cutting cost and cutting staff, is you put more burden on each individual staff member who's left. And when you increase their stress level and increase their workload, it makes it more likely that they will either forget or ignore, or even actively violate the policies that you've put in place, either because they're just overwhelmed or because they're hostile. So policy in and of itself is no protection against secondary release. And secondary release, if it occurs, compromises the person's privacy just as much as a primary release. And the problem that I have with the current approaches is that there's nothing that's available in the data systems that you can buy off the market today that even does a very good job of providing a modulated level of access control to the people who are primarily allowed to see the data.

Unless you have specially constructed systems, which for the most part aren't available--our lab system, for example. If we wanted to flag a class of test data, like HIV tests, in our lab system, that said to this class of tests, if someone goes to look it up requires a secondary challenge, or requires a higher level access code than some other tests. That system hasn't got the capability to do that. So we have to store the HIV test results in a completely free-standing system that's disconnected from our main system. And in order for a clinician to get access to that, they have to make a special request through an employee to retrieve that information. It's very costly.

DR. DETMER: In the interests of the rest of afternoon's agenda, I need to have you wrap it, Bob.

DR. ESSIN: I'm just about there.

MODERATOR: Thanks.

DR. ESSIN: Okay, the point is, it's so costly to get the desired level of security with existing technology, that no organization will actually ever do it. And without that, there's no protection. So until some better mechanism is available to modulate primary access and to control secondary release, I'm very concerned about putting either meaningful or meaningless data out where people can come across it.

DR DETMER: Thank you very much. Dr. Shortliffe.

DR. SHORTLIFFE: Thank you, Don. I'm Ted Shortliffe; I'm a professor of medicine at Stanford. I'm an internist and also a computer scientist, trained in computer science, and I work at the intersection between medicine and computing most of the time and therefore have been very interested in the kinds of issues regarding clinical data that are on the agenda today. I've also been chief of a division of general internal medicine and practice regularly in an outpatient clinic and on the inpatient services at an academic medical center, so in addition to having an interest in the research issues that confront academic medicine, I have to deal with the realities of accessing patient data in order to make decisions about a patient and knowing the frustrations that exist when that's made difficult.

So I'm not going to address today the benefits or the positive aspects of the computer-based patient record notion. It seems to me that this is, there's a sort of growing recognition of how crucial this really is and how outdated our paper-based approaches have been to the management of clinical data. So rather than arguing the case of the computer-based patient record, I really want to focus primarily on this issue of data privacy and confidentiality, which I view as a very important problem, but one which needs to be properly balanced in a complicated work of patient care and societal good related to by medical research.

I guess my interests in this were honed when I participated on a panel that the Institute of Medicine put together a few years ago related to--actually, we were looking at notions related to community health information networks, the CHINS that were beginning to arise around the country where there were major issues of employer interest in seeing regionalized databases where they have comparative data, primarily in their cases on provider organizations and providers, and how they could be compared one to another, either on cost or, in the case of them on the basis of quality but, of course, in order to develop such data, you need to pool data about individual patients.

It raised all the issues of how those data sets could be kept adequately confidential with regards to who the individuals were and what you need to strip off of a patient's records in order to be assured that this was not an identifiable patient, while at the same time reaping the benefits of having pooled the data across the providers and being able to compare them, one to another. That resulted in a report which I sometimes I think hasn't been read by enough people. If you aren't familiar with it, I would urge you look at it. I think that it's extremely relevant to the issues you're discussing today. It's called "Health Data in the Information Age" and I think it's dated around 1993 or so when it came out. And you could view it as a kind of predecessor to the more technology-oriented report that the NRC just put out in the last month or so, which I know you're familiar with.

By serving on that panel, though, I gained a greater understanding of the really valid concerns to individuals regarding the inappropriate use of their confidential health data. We heard a lot of anecdotes which I found rather frightening, actually, some of which did not require that you pull data in a region to see that kind of infractions that can occur right within a single institution. Perhaps the most abhorrent one I remember hearing was a medical records clerk, very similar to what Dan Essin was just talking about, who was selling the names of patients who had been scheduled for therapeutic abortions to a local rights to life group in a major city in the East Coast. Got at the medical records of such people, got their names, and literally gave their names and home addresses, and the right-to-life folks showed up at these women's front door in order to try to talk them out of going forward with the procedure.

Now no matter what you think about the procedure, it seems like a very clear, totally inexcusable infraction of those patients' confidentiality and it occurred in a setting, I must point out, where the records were on paper. The infraction was carried out by a health worker who had access to that information as part of their employment, and where the only recourse that was available to the institution that was involved in this case was to have her fired. There was no national or state law that could be brought to bear and there's no criminal penalties that were possible and so she was fired, but obviously this is the kind of anecdote which has led to the very real concerns about the need for a much more aggressive look at national policy regarding penalties for such infractions--this secondary release phenomenon which I think is really the major, major concern.

Another thing we learned on that panel, I think, was the importance of balanced recognition of the very valid roles for health data outside of the setting of direct patient care. I mean, you can argue that that should be obvious, but it's surprising how many patients might not find that obvious. And we had many discussions, frankly, about what the kind of responsibility of patients might well be to the society, which is in fact providing them with some of the best, if not the best, medical care in the world--in large part because patients who have gone before them have, in fact, been observed; data have been accessed, combined, analyzed, and have led to knew knowledge and information from which they benefit. And to say, well, I will benefit from all this past work that's gone but, please, you cannot use my data because I'm afraid, because I own it, or I feel it's totally mine to control just doesn't quite ring true to me in viewing this kind of give-and-take that's required in a society such as ours. This is not -- I think I've made it clear, it doesn't mean that you should ignore the privacy issues, but they have to be in some sense balanced, it seems to me.

I know that much of the discussion of this has been aggravated or heightened by the increasing use of computers and networks to handle patient data. And in fact, like Dr. Essin, I have enough interest in computer-based patient records and have talked enough about them myself that I've often had to list the pros and cons of computer-based records. You know, what is it that's wrong the old paper record? What are the reasons for thing about automation? There's a whole slew of them and I promised you I wouldn't try to go through them. But there's one that I put on the pro list, and that is increased control of patient data with regard to privacy and confidentiality. There is no question in my mind that the technology helps rather than hurts that issue if properly implemented and if there are clear policies which then can become part of the way in which the software is developed. And the notion that the computer is a huge threat to the privacy of individual data flies in the face of the kinds of anecdotes I told about where we've seen what can really happen with paper-based records that are less well controlled. It took detective work to figure out how these folks were getting the names of these people. There was no way that the paper-based environment could identify who had been looking at those records. Whereas of course with technology you can be keeping audit trails. If you do proper authentication, you can be darn sure who's looking at any given page of any given piece of data at any time and use that information as necessary to provide patients with a list of who has looked at their chart, if that becomes an issue in a court of law or just because you have a policy that says that's something that they can have if they want it. The provider himself or herself may want to see who else has been looking at the chart and there are institutions that have tried to implement such audit trails to make sure that they can provide that kind of protection and if we get proper penalty legislation and policies then inappropriate uses can in fact be attacked and people will begin to learn that they have to think twice about looking at data that they really have no reason to look at.

There are obviously other ways that technology can help. In the area of data confidentiality, we can encrypt transmitted data. Any vendors providing that? Well, maybe, I don't know of any right now. Somehow or another the reality that we have the technology has not yet affected what we are doing. And if we can get the policy sorted out and straightened out, it's much more likely that we're going to see both vendors and system developers within large institutions like academic health centers beginning to implement the policies that are finally being defined about what should be done. I actually think that the risk of data being transferred over networks being attacked is relatively small but encryption is certainly a way of giving people peace of mind. A variety of ways for authentication; we know the problems of simple passwords. We know the problems if you don't have auto log-out on a workstation and suddenly somebody else can walk up to it and look at data that you had access to a moment ago when you went to answer the phone or something. So there are all kinds of technology solutions to try to make sure that they really do know who's looking at any given point.

Software controls that can allow some people to see some data and other people to see more data. Some workers don't need to see the most confidential information but arguably that emergency room physician, when you're lying prostrate in the emergency room, probably you want him to be able to look at your entire chart. It might be important, even that psychiatric medication that you're on may be crucial in assessing you at that point. Sort of thinking that somehow the psychiatry records shouldn't be available in that setting is to me forgetting the realities of what can happen to people when they're very sick.

And technology can allow you to provide redundancy so that the data are more secure. If the computer room burns up in a fire, it doesn't mean that all the medical records are lost because you can and should have backup procedures in place to make sure that nothing is lost.

So I think it really boils down not so much to whether computers are good or bad in this area. I would hate to see people be so afraid of the role of the computer that they would stymie our ability to actually take tremendous advantage of the technology's role in helping us with patient data management.

So instead the issue is what should the policies be. Define the policies and we'll try to make sure that we design systems that address those policies. And, let's try to make sure that the policies are defined in a way that does not, not only stymie computer developers, but stymie physicians trying to care for patients because they've been somewhat extreme in the way they've been defined and that could happen if we're not careful. Or, totally curtail high-quality research of the sort that our country has been known for and which could also potentially be stymied if the policies unrealistically emphasize a patient's right to control their data to such an extent that the societal contribution of those data, even properly protected with regard to risk to that patient, are not made available unless the patient approves every single use of it. I think this is where we can get into tremendous problems.

So the NRC report that came out tried to define some of the things that are realistic to propose. They pointed out problems with IRB's. The notion that IRB's are the solution to all problems I think is wrong, but maybe they could be a lot better. There was some discussion of that in both the ILM and the NRC report about what the role of IRB's should be. But we do need to address specifically what it means to empower patients with total control over their data and how those data are used.

If, as some people have argued, and I've heard this realistically argued, I didn't think anybody would be quite this extreme, but if you had to actually have a patient at the point of care sign permission for any potential use you might want to make of that data in the future, all retrospective research would essentially go out the window. The Framingham study, or at least all its later elements, would be impossible because they didn't know all the questions they were going to want to ask at the time that those data were gathered. We can imagine permissions that would be much more comprehensive about, that would say, and any future questions you might want to ask, but I'm very worried about the notion that people who are asked to follow up and so forth and suddenly you'd have to throw their data out of the data set because you've got something you want to work on, there's no risk to that individual but they never quite signed the form at the right time with quite the right permission and quite the right wrinkle. I think that could happen.

So that's the research risk that I see as being very real and you may say well why would any patient refuse to let you use their data for research and I think all of us who have done any kind of clinical research know that sometimes people are not particularly rational. They don't understand the technology issues and even the sort of societal issues that I've been arguing for here in terms of the fair exchange of their information in return for the care that they are provided and any physician has had the experience of dealing with difficult patients who they feel at times want to do things that are irrational. I to this day remember very well a patient in the era when we were not permitted to write HIV results, even if they were positive, in a hospital chart here in California. I remember a patient who came into our institution who was told over and over again that her HIV test was positive. She had many risk factors. People were always suspicious, could not write it in the chart. The next time she came back, a new set of house staff, a new set of doctors would be involved and she would not tell you what the result of her HIV test was. You were suspicious because she wouldn't tell you but once again you had to do it. It was done over and over again, every admission, because it could not be put in the chart and she refused to provide the answer. She would always give permission to do it again. I think she was hoping it would come back negative one of those time.

But this kind of control over the data, even when healthcare providers are concerned, can really stymie the optimal care of the patient himself or herself. And so I would urge then that to the extent that you're giving recommendations centrally to the Congress and others regarding how to find the proper balance between protecting patient data and urging recognition, the role that those data can play outside of direct patient care or how important it may be for providers to access those data in a way that they feel responsible for and are willing to be audited for, I would hope that this balance is maintained in any legislation that's forthcoming and people can be better educated about why this is really in everyone's best interest and that great harm to individuals can be protected without doing great harm to either research or to optimal patient care.

DR. DETMER: Thank you. I appreciate each of your comments very much. For fair or ill, the way our agenda is set up today, we're already a little past the time of starting our next panel. No, I think you folks were fine, but in any event I want to thank you. We will not have unfortunately time to really discourse with you on what I think were really very--do I have a wrong agenda? I have an old version. That's good to know. Because I would like to hear from these folks. What do you have? [mumbled talk between many people]

DR. SHORTLIFFE: No, advocacy panel. This I haven't seen. Okay. Oh, we only had 30 minutes. Okay.

DR. DETMER: Am I wrong or right that we have an advocacy group that we're going to hear from? Thank you. Now what I'd like to suggest, I do have the right agenda. Anyway, I know that some of you may have to get on your way. If it's possible that you could sit around and we could get our next panel and there's a little time, that would be great. If not, I'm greatly appreciative of your coming. We were scheduled to actually adjourn at 5:30, depending on what comments would come from our last group. There may be some opportunity to exchange on your comments but it's just an awkward situation and that's the best I can do. So I certainly thank you. If you can stay, great. If you can't, thank you very much.

We do know how to get in touch with you so we may very well do that, okay? Thanks very much.

And if the next individuals could come up including I think Dr. Mark Schiller please who was off I guess seeing a patient earlier today when we actually had him originally scheduled. That would be appreciated. And, is it pronounced Marge?

MARJ PLUMB: Yes.

DR. DETMER: Great. Eileen Hansen?

EILEEN HANSEN: Yes.

DR. DETMER: Marj Plumb and Dr. Mark Schiller, if you folks would be kind enough to make your comments, we would appreciate it. Mark, you've waited longest today, maybe we should start with you.

DR. SCHILLER: I'm sorry for missing my time earlier today. I had a bit of an emergency with a patient but thanks for giving me the opportunity to still make some comments. I should mention I represent the California Association of American Physicians and Surgeons. I can say I probably represent their opinions here right now. I also am a psychiatrist on the faculty at UCSF and attending psychiatrist in the Psychiatric Emergency Room at San Francisco General Hospital. They will probably disavow my remarks.

And actually, my missing the opportunity earlier to make my remarks because of patient care I think is actually pertinent in a way because as those of you who are physicians know, there are times when you make plans and have things that you need to do or want to do but when a patient's condition interferes with your plans, the patient's care always comes first. The patient always is the entity, if you will, around whom and for whom the art of medicine was developed. They are our primary concern. The Oath of Hippocrates directs us to provide care for the good of our patient according to our judgment and ability. It also directs us to protect our patient's confidentiality. Those concerns are at the heart of the Western medical ethical tradition. It is unfortunate that today many people are disavowing what is the heart of our medical tradition, which is providing care for an individual patient and concern for their confidentiality.

Today I think the government, managed care and other entities are telling us that our concern is for the good of society and not for the good of our individual patient. I think that is totally wrong and contrary to our tradition, a tradition that has served us well.

I'd like to tell you today that no other concern supersedes the rights of the patient. No other concern supersedes the rights of that patient to obtain the care that they desire or the confidentiality that they require. And there are no other concerns, whether they are the interest of researchers, the desire for efficiency of a managed care organization nor the desire of health and human service bureaucrats to grab more power in the field of medicine. There is no concern of theirs that supersedes the rights of the patient.

My view is that this so-called administrative simplification which is dictated in what I will call the Kennedy Kassenbaum Bill for my simplification purposes, I don't believe that there is any reason to believe that administrative simplification will improve medical care. I think that actually Dr. Essin pointed out some of the issues which indicate to me that care will not be improved and those basically come along the lines of what the Nobel Prize winner F.A. Hyak termed the "problem of knowledge." In directing a centralized system of economics of health care, people don't have all of the specific and variable and very quantitative information that would allow them to dictate the workings of an economy or the workings of a complicated health system. We will never have all of the knowledge which an individual patient can impart to an individual doctor, and trying to gain that knowledge, trying to form a large database so that we can direct care, runs into the problem that you cannot put the information that we need into the type of information that a computer can use.

What will happen though is certainly that this information will be abused. We heard of one case in which a clerk sold information about multiple patients. We know of cases such as the case in Maryland where state employees sold Medicaid information to a managed care organization. We know that hackers will be able to steal information once they get onto a network. We know that unscrupulous researchers even and unscrupulous bureaucrats will be able to manipulate information to serve their own ends.

In addition, recent evidence shows that data, mandatory data, especially that which is being sent electronically, will be used to find in many cases simple coding errors by which government prosecutors will pursue health care fraud against physicians and others. In these cases that have occurred recently, these are well meaning physicians who just made some coding errors on an overly-complicated system of coding and some of them are now in jail. Over recent years the amount of health care fraud prosecutions against physicians has increased by approximately 200% and with the passage of the Draconian anti-fraud statutes included in what again I will call the Kennedy Kassenbaum Bill, you can be sure that the amount of those prosecutions will increase.

I'll try to sum it up here. I believe strongly that the Kennedy Kassenbaum Bill's requirements providing unique identifiers to patients and physicians, to direct the actions of private entities and to mandate data collection on medical care is unconstitutional. I'm not naive enough to believe that concerns about unconstitutionality will stop anybody from implementing these directives. But these are not amongst the enumerated powers of governments and it is appalling that a law has passed Congress without anybody raising those issues. I'd also hope that the committee here will recommend against the actual implementation of unique patient identifiers and provider identifiers and the centralized and mandated collection of this health care data. Again, I'm not naive enough to believe that this will actually happen.

The best that I can hope from this committee is a recommendation. I believe that just as patients need to give consents to be part of a research project, that patients need to know that the information that they are providing to their physicians and others will be sent electronically to whatever health care databases are out there and that they need to provide consent for that sort of transmission to third parties if any unique identifiers are being used and I think it is the ethical obligation of this committee, and certainly of the physicians being involved in this process, that no patient information is provided with unique identifiers unless patients have provided that sort of consent. I know for myself that I am not going to use any physician identifier in my clinical work and I'm certainly not going to use such an identifier for patients without their consent. Thank you.

DR. PLUMB: Thank you. My name is Marj Plumb and I'm the Director of Public Policy for the Gay and Lesbian Medical Association and we're stationed here in San Francisco so I appreciate the opportunity to give testimony here.

We were founded in 1981 as a professional association for gay, lesbian, bisexual and transgender physicians in the United States and we have over 1,800 physician members as well as medical students and other supporters. We are in all 50 of the United States and we're also in 12 different countries.

We were founded with the distinct mission to combat homophobia in the medical profession and in society at large as well as to promote quality health care for lesbian, gay, bisexual and transgender patients. The issue of medical records confidentiality is a very important issue to our mission.

Many of our physician members provide care to gay, lesbian, bisexual and transgender patients as well as many of our physicians have very significant HIV practices and so my remarks are going to be centered around those patients.

The patients that we're concerned about are lesbian, gay, bisexual, transgender patients and HIV positive patients who are in a bit of a Catch-22 situation when it comes to interaction with the medical system. We encourage patients to have open, honest dialogue with medical providers, that that is the way to ensure the best possible health care that they can get. But we also know that medical providers are a part of the society that we live in and we live in a homophobic and AIDS-stigmatized society. And so our patients, while we encourage them to come out to their providers, also then have to deal with the very real potential of discrimination by medical providers. And I want to talk about that for a moment even though that isn't in particular related to patient confidentiality with regard to the medical chart. But I think it's important to understand what patients are going through and what some of the issues are that they deal with in terms of working within the medical system.

We did some survey of our members in 1994 and asked about whether our physician members ever saw patients, gay and lesbian patients, be discriminated against or receive substandard care and 67% of our physicians said that they had observed gay and lesbian patients receive substandard care because of their sexual orientation and I want to read you just a section of that report that discusses this:

"Many respondents told of physicians and medical students referring to lesbian, gay and bisexual patients as faggots, dykes, sissies, homos and queers. In several cases respondents recalled physicians actually calling patients these terms directly to their faces. In others it was literally behind their backs. A Massachusetts resident reported that when she treats gay male patients, her attending physician routinely stands behind them and mouths the word "sissy."

But I want to emphasize that we're not just talking about name calling. We're not just talking about feeling bad. What we're talking about is substandard care. We're talking about not getting the care that you deserve for the condition that you're presenting with. Reports of substandard care or denied care for lesbian, gay, bisexual patients were numerous and varied. A medical student described seeing an emergency physician refuse to care for a patient with colitis once the patient identified himself as a sexually active gay man. A urologist wrote of a young man denied appropriate surgical therapy for his testicular cancer because he was gay and therefore perceived to be a risk for HIV. A Michigan family practitioner personally witnessed an anesthesiologist let a man he knew to be gay labor with airway obstruction after surgery. A Massachusetts physician worked with a colleague who singled out a gay patient with an anal abscess and refused to give him routine pain medication when draining the site. And a Wisconsin psychiatrist reports that while he was a resident, he heard another resident boast that he had sent away a crying fag who came in all upset because his lover had broken up with him.

All of these examples of substandard care and discrimination are also reflected in literature and research that's been done on the health providers themselves. In some cases, one study in Southern California, 40% of physicians surveyed reported feeling uncomfortable providing care to gay and lesbian patients.

When we look at issues like HIV, we also have to recognize again that HIV stigma and discrimination continue to occur and the impact of that discrimination of course goes beyond the medical system itself to the potential to lose employment, to lose housing, to lose your children, to lose access to your community or to your family, if certain information is reported or is leaked.

We're not specialists in data management. I represent medical providers who try to provide the best care possible to their patients in a system that despises both their patients as well as themselves as medical providers. I can't tell you the ways that you can structure the system to protect patients. But what I want to leave you with is that this isn't about data, this is about people and this is about the fact that we exist within a system that doesn't like us and that system controls the information that tells the rest of the world who we are. And the rest of the world also doesn't like us. So we need to know that the gatekeepers of this process don't just talk in terms of data, but talk in terms of people's lives because that's what the data represents. An HIV test is not just a lab result, it's not just a lab process. It's about somebody's life and it's about their ability to continue living their life free of discrimination. And it's an awful, awful process that you're going to have to go through as you continue to develop the recommendations that you need to make but privacy and confidentiality have got to be prioritized we believe to the highest level possible because this is very real in terms of the discrimination that our communities have to face.

The recommendations we have are very simple: the first recommendation is that we believe that there should be strong recognition that only universal access to health care and strong anti-discrimination laws throughout society, not just in the medical system, are the only way of protecting against discrimination based on data leak, based on patient medical record exchange and that that may not appear to be within the scope of this committee in that you're dealing with very technical issues, but you have the opportunity to make that statement and that if we had universal access to health care and if we had anti-discrimination laws that protected against discrimination in employment and housing and all of the areas of society that people are discriminated against, then patient protection issues would, that would be the greatest thing we could do in terms of protecting patient confidentiality. We believe that you need to enact, you need to request the enactment of the strongest possible measures to protect patient medical information and again, we're not data managers, other people have said it better than we can so we're not even going to attempt, but we're just really, really, really urging you strongly to consider the strongest possible protections and with that then the strongest possible penalties and sanctions against people who inappropriately divulge information from a medical record.

The opportunity exists right now to make these sweeping changes and I think that you know that that's what you are all sitting on. And, if we don't act fast, systems will continue to be put into place that will then be impossible to fix and for the sake of our patients, we need the systems developed now to provide the most amount of protection. We are available to assist in any way and thank you for your time.

DR. DETMER: Thank you. And Ms. Hansen.

MS. HANSEN: Thank you very much. I speak to you today as the public policy director for the AIDS Legal Referral Panel of the San Francisco Bay Area. We are located in San Francisco. We also do federal public policy work and I will apologize to you in advance for needing to read my testimony to you.

The AIDS Legal Referral Panel was founded in 1983 and we have provided comprehensive, free and lost cost legal services to nearly 30,000 people with HIV/AIDS in the San Francisco Bay Area. We serve nearly 3,000 people per year and we address many individual concerns related to health care reform, confidentiality, reporting and discrimination. Our public policy department was established in 1991 in part specifically because of the need to address these issues on a larger level. Through our federal, state and local policy work, we endeavor to protect and advance the civil rights of all people with HIV, with particular attention paid to the impact of HIV on those most disenfranchised.

The core idea of confidentiality has a long history within the medical profession as I'm sure you realize although it has only more recently emerged into the domain of legal rights and interests. The fundamental concept of medical information confidentiality dates back at least as far as the Hippocratic Oath as has previously been mentioned. Its basic command that medical information about a patient not be disclosed beyond those who need to know for the purposes of the patient's medical care or those whom the patient chooses to inform is echoed in contemporary medical ethics, statutory protections, the common law and constitutional law. That need to know is at the core of the work that we do in protecting people we work with.

The developing sense that medical information is, at least to a significant extent, properly within the private control of a patient is closely linked to the emergence of the concept of privacy as a morally valued, politically accepted and legally protected area of constitutional rights. It is generally acknowledged that that translates into a certain measure of control over who or what has information access. For example the patient's physician generally has no authority to disclose information about the patient absent the patient's specific authorization. Similarly, the state if it collects any individually identifiable medical information under statutory authority generally cannot distribute that information beyond places or persons specifically authorized in that relevant statute.

When the information involved has public health implications beyond the individual patient the weight given confidentiality is counterbalanced by the potential harm to others. Because HIV/AIDS has obvious public health dimensions, the confidentiality of HIV-related information has been scrutinized and debated since the beginning of the epidemic. Because people with HIV/AIDS have long been victimized not only by the ravages of the disease itself, but always by the attendant stigma, prejudice, discrimination, and public fear associated with HIV/AIDS.

The issue of confidentiality has also been addressed within the critical context of civil liberties. Thus, an emphasis on protecting the confidentiality of HIV-related information, especially the names of affected individuals, has been an important focus of addressing the epidemic within the context of protecting both public health and individual privacy.

Those most affected by the HIV epidemic are still disproportionately members of socially stigmatized groups with a well-developed mistrust of government intentions toward them. The epidemic initially was recognized among gay men. And men who have sex with men continue to constitute a majority of U.S. AIDS cases. Long accustom to officially sanctioned and practice discrimination on the basis of their sexual orientation, gay men and lesbians have been profoundly suspicious of the Government's interest in obtaining their names and HIV related medical information.

Other groups disproportionately affected by AIDS have for varying reasons also been wary of government designs. Injection drug users risk defining behavior in and of itself is criminal automatically making injection drug users mistrustful of any collection of information on them.

People of color, especially African Americans, have also been marginalized historically. They have been less linked to the formal health care system. And they have been trained by long experience to be leery of government intentions. As you know, it took them until this year for an apology to be provided regarding the U.S.-funded Tuskegee syphilis study on African American men that was appallingly not stopped until 1972.

For many women who comprise an increasing percentage which is now 20% of all AIDS cases, mistrust has been increased by fears that their HIV status could jeopardize their custody of children. We have seen this legitimate concern most recently raised in the context of pregnant women being coerced under the threat of prosecution or the ultimate loss of custody to take medical treatments that could reduce the potential for HIV transmission to their fetus.

Breaches of confidentiality have occurred in many contexts including the medical setting. The most recent example is that of the nation's worst breach of confidential HIV information in [Peneles] County, Florida where 4,000 names from an AIDS surveillance database were leaked to two newspapers in September of '96. Florida prosecutors have since filed criminal charges against a public health worker who tracked AIDS cases for using classified information for his personal benefit. He checked a computer database of AIDS cases to search for the names of men he planned to date. And against his former business partner who was identified as the person who anonymously mailed this containing the database to newspapers.

Currently, Florida officials are also investigating an unrelated case there, in which there are allegations that a clerk in a welfare office tapped into the State's computer network to discover the confidential health records of an acquaintance and leaked information that could imply that the person has AIDS. A clerk whose job it is to determine whether an applicant is eligible for benefits such as Medicaid and food stamps, reportedly found the acquaintances T-cell count while using the Florida system, a network of computers that contains the files of more than a million Florida residents and is seen by thousands of state employees. A T-cell count is a measure of the body's immune response and is an indicator of the health of a person with AIDS. Officials said the clerk apparently led others to believe that the acquaintance had AIDS. The response of the Florida Department of Children and Families to this outrageous incident has been so far that that information should just not have been on the computer system.

People with HIV have lost their jobs, their homes, the support of their communities, their families, their friends, and their insurance, upon inappropriate disclosure of their HIV status. The healthcare system has itself been used to discriminate against people with HIV with some doctors, dentists, and hospitals refusing to treat HIV infected individuals or disclosing medical information.

As health information systems are increasingly utilizing electronic technologies, the issues of privacy and nondiscrimination are also increasingly important. Electronic data collection and electronic transfer of information must not be done without the strongest possible privacy protections in place. It is imperative that any attempt at implementing administration simplification maintain the strictest possible privacy safeguards on the personal health information of people with HIV/AIDS and in fact of all people in this country.

The AIDS Legal Referral Panel remains concerned that the health insurance Reportability and Accountability Act of '96 seriously threatens patient's confidentiality. While the Secretary of HHS would be required to adopt standards related to electronic transactions, data elements of health information security and privacy, the legislative purposes of the standards do not sufficiently emphasize patient privacy. The Act specifies that the standards adopted must reduce the administrative cost of providing and paying for healthcare. Clearly this is the emphasis of the administrative simplification provision. Privacy concerns in my mind are secondary at best.

Additionally we agree with the concerns of the AIDS Action Council in Washington, DC That the development of privacy standards will come long after the electronic health information network has begun operating and will therefore be meaningless to ensuring the confidentiality of medical records. Electronic medical records must be made more secure than paper records. But we agree with the National Research Council's panel on March 5, that strong incentives do not exist on the part of the healthcare industry to ensure that. However in representing consumers with HIV, we would disagree with the panel that consumers are not concerned with this issue. We believe that they are.

We would agree with the panel that the use of a patient identifier must be weighed against patient privacy and must be backed by policy set to define proper access and specify sanctions against abusers. We would assert that the language of the policies and sanctions must be extreme and absolute. Confidentiality of sensitive medical information such as HIV must be protected. Unnecessary disclosure of confidential medical record information, that includes HIV status, sensitive medical procedures such as abortion, mental health status, substance use, sexual orientation or behavior and gender identity must not be allowed. The use of a carefully-constructed, appropriately unique identifier system both for gaining access to the information system as well as for identification of a personal medical file must be carefully assessed. The historical significance of the right of consent for patients must be understood in this context and must be honored.

As noted by Paul D. Playton, the panel's chairperson, we have already seen, for example, how the social security's number's widespread use in motor vehicle licensing, employment, banking, and medical records can be used to collect information on specific individuals. While importantly state authority to provide privacy protection in the area of individually identifiable health information is retained in the Act and while future Federal legislation in this area must not preempt state laws, ultimately a comprehensive Federal privacy statute must be created to fully protect the privacy of all personally identifiable health information.

Meanwhile, however, in implementing the administrative simplification provisions, the privacy needs and discrimination-related concerns of people with HIV/AIDS and others with stigmatized illnesses must be heeded. These concerns are based in fact and experience and the health insurance Reportability and Accountability Act must not be used to further erode the civil liberties of people with HIV/AIDS and must not be used to create an electronic nightmare of indiscriminate and insensitive medical information disclosure. The AIDS Legal Referral Panel is certainly happy to provide additional information to work with you with regard to these concerns. And I appreciate your time.

DR. DETMER: Thank you. I want to thank each of you for your testimony today. We've had a long day. It's right at five. What I started the day off saying was that we had an open session at five. I would appreciate if you would be willing to stay right where you are, because we do have still a half an hour and I'd like to have an opportunity first to let people in the audience if they did sign up to make comments to do so. In the sense of fair play to our agenda of the day. And if there are none, then I would suggest that we open this for some continued discussion both with you folks as well as the prior panelists who I see happily are still in the room. If you want to come on up, that would be great, if you don't mind.

Okay, who would have questions or comments?

Did you want to comment? Yeah, please go right on up to the microphone.

MS. BROWN: Just because I forgot to sign up, I'm Laura Brown with Ernst & Young here in San Francisco. We've discussed a number of times today security. . . sorry, privacy and confidentiality. And I come from the security side of the fence. And I'm curious to know if you can give us an update on what the committee's recommendations for the security issues which will be forthcoming. What the are? Where we're at? That kind of thing.

DR. DETMER: Yeah, actually the security piece is very important. And I think we in fact will be getting into our first real discussion of that at our meeting later this month. But as far as recommendations from that, it's going to be downstream a ways. But that's my, at least, understanding of where we are. Good question. I'm glad you asked it. So, stay tune. We will be speaking to it. But it will be a little bit. Benson.

DR. MOR: I have a question, actually two, of the former panel and actually the second one for the current panel. Dr. Essin, you mentioned that just narrative is not data and you can't do anything with it. On the other hand, you suggested that you want to think of a variety of different non-, internally consistent, but not necessarily exportable coding systems that could then be subject to translation tables. Could anyone comment on the existence of translation technologies for handling narrative with sort of not. . .

DR. ESSIN: There are several very nice demonstrations of the potential of what you can do with narrative. One of them is at the University of Pittsburgh and the other one is by a commercial firm in Texas which is sort of a spin off from Nexus Lexus. And they both employ very powerful technology for cross-indexing text. And it works fine provided that the text is consistent. And it works fine for any text which is some recognized variant of what was predictable. And as such, in terms of finding patient records for a provider, it works extraordinarily well because the patient's identifying, you know, internal hospital id. number for example is present in each record. So, you don't lose records when you're trying to find a patient's individual data. But if you were to do an epidemiological survey in the hospital. Looking for hospital acquired infection, you might miss one or two or three. The point is you wouldn't know how many you missed.

DR. MOR: But how many would you miss if you were relying on coding that might or might not be consistently done?

DR. ESSIN: The reference I made to consistent coding implies forethought. It implies… Very much along the lines that the national library's been sponsoring this unified medical language system, and one of the things that the unified medical language system does is it cross-correlates with a semantic notebook. So it says that the term or the concept x is a y, which is a z, which is a q, which is an a. Therefore, you can backtrack through that tree of essentially predefined relationships or predefined meanings to know that these five different phraseologies all represent the same concept. Now, you can do that either using those kind of technologies or you can pre-link an ICD-9 code with a term that may appear in a computer system so that every time somebody includes a boilerplate piece of text, for example, in a narrative it's carrying along with it the pre-assigned code.

DR. MOR: The reason I ask the question, as well-known to the other members of the panel, I'm very concerned that establishing and recommending particular code sets now might introduce straitjackets that limit the scope of the potential for future, more flexible systems for characterizing the behaviors which are of essential importance.

DR. ESSIN: What I'm essentially describing is some of the things which have come out of my research. And it has a behavioral component. I'm a pediatrician, so let's take a… I want to describe an eardrum in a patient with [otitis]. I know what I want to say. Either I or the institution might want to associate that concept with an arbitrary number of additional coding systems. All I'm suggesting is that you have an architecture that allows you to preassociate what the doctor wants to say with what it means for billing, and what it means for epidemiology, and what it means for this, and what it means for that. Then, you know, the mere act of choosing it brings along all the baggage. Without anybody having to sit there and redo the work, to recode it on a case-by-case basis. And you can either do that before the fact or because you have a consistent internal vocabulary, you could apply a new coding translation after the fact, even to data that was collected years before.

DR. SHORTLIFFE: I'd like to make another, sort of a clarification, first. I think, maybe this is obvious, but I think it's important to note that when Dr. Essin is talking about coding systems, he's talking about structured data entry at the time of recording what's going on. Not taking and extracting data from a chart after the fact. Post-coding is a whole other matter and has to do with tremendous potential problems. But building standardized environments for actually describing what you're seeing and then adding to those the flexibility of some pretext when you find that there's something constraining is the kind of approach that's not all one way or the other. And it still gives people the flexibility to say what they want to say. To the extent that experiments like that are being done and have been done in the past, it is remarkable how quickly people can begin to adapt to a standardized structured data entry if the process of interaction is facile and gets into the flow of the work. I mean, the human-computer interface is a much more important one in my opinion then the terms themselves because it turns out that if they evolve and they evolve in the setting where people practice, and they feel that they can in fact begin to augment them over time, that you see relatively good acceptance of the terminology by the clinicians. But if they reject it, it's much more because of the nature of the interaction that's being required of them compared to picking up a dictaphone or something like that. I think structured data entry does have tremendous potential advantages and has to be worked at. And then the development of standardized vocabulary that allows us to share and pull data for purposes of research and people moving from one institution to another and so forth, become very important. You know a lot about this.

DR. LUMPKIN: I'm intrigued by a number of comments that we had today concerning the potential impact of this new world that we're trying to engage in now. In most other industries they've already been in this world of automated information systems. I feel the need to address the challenge because one of the downsides of the current system is probably most aptly reflected by my family. Where my son, all of his records probably from the age of birth all the way up to three have been completely lost. So, we go through the issue every time we have to be in his school, of what do we about the fact that he really has no immunization records. And the HMO that we belonged to at the time did not have an automated medical record system. And certainly, we would not have this problem if that record system had existed. Because it is not as easy to lose an electronic, well, that's not true. But the redundancy of the system usually is a little bit greater.

And also having worked in the emergency department where untold hours were spent on the phone calling Cook County Hospital for a patient who was seen there just to know what medicines they're on, and what treatment they have, and what really is underneath that scar. So, there are definitely significant clinical advantages that I see.

A lot of what we hear about problems that exist... I'm trying to discern what is the increased risk that's associated with the electronic environment. And how much of that risk is based upon poor system design, and how much is inherent in information system development. And let me explain what I mean by that. The information system that we use in Illinois for our maternal child help system is a fairly complex system that people only can get into based upon their password. And that password is given out only by the state of the central location. So, at the 350 local sites, clinics, you can't get a password unless you apply to the state. And then that password is associated with access. So, there are a number of records that exist which a person without the appropriate password doesn't have. So, the system is designed to say that essentially if you are going to get a record, you're going to have to do that outside of the normal course of things and you're doing it in a way that you know is wrong.

So, what is the risk associated with poor system design where they are not built with those safeguards, you know, the audit trail of who looked at what. Or to the extent that the electronic systems that we are putting in place just have this inherent capability of increasing the risk. Or are we talking about a risk that appears to be there because we just ignored it when it existed with people looking at paper records and transmitting data either primarily or secondarily. It's a long question, but I...

DR. DETMER: I want to put a cutoff on that before you respond. Because I think it's something that I said earlier today that some of you may have come later and didn't hear us speak to. I'd like to take off the plate a little bit from your point. We are living in a society that does need anti-discrimination legislation that very much clouds an awfully lot of what otherwise is, if you will, personal health data in an information age. If we were in a society that had universal care, had in fact anti-discrimination laws in place, I think you would have a different answer to your question. So, I would just like for you to respond with that or without that, but aware of it.

DR. ESSIN: One of them I wanted to follow up. I started to mention the CIA division. I started to mention the CIA director's confirmation hearing. And the question that was put to him to the CIA, you know, can you guarantee that there won't be security leaks. Because that's, you know, leaks are everyone's concern. And his answer was not with existing technology. Well, if the CIA can't do it. How can we do it?

DR. COHN: It reminds me of Mark Twain's comment about humans, that they were made by God at the end of the week when he was tired.

DR. ESSIN: I'll also point out incidentally that the first policy failure on undocumented history was God's failure to kill Adam and Eve after they ate the apple.

DR. SCHILLER: My comment is not that it's necessarily the fact that it's information on electronic media that's the danger. To me the danger is that what the government is here trying to do is collect healthcare data on all individuals and providers in the country. And that can be misused and abused. I would, since you're all probably going back to Washington, I would urge you all to go to the Holocaust museum and memorial where you will find a machine which was a primitive precursor of a punch hole computer which was used by the Nazis to collect... Every individual was given a healthcare card with some information punched onto it, and those healthcare cards were then used to weed out so-called mental defectives, the mentally ill, later Jews, homosexuals, gypsies. And then they co-opted the physicians in Germany to set the process of killing off those people. The real problem here is the collection of a massive amount of data which can be misused. It's not necessarily the media.

DR. ESSIN: Other comments.

DR. SHORTLIFFE: There was a technology question that you were asking which I don't think we've really addressed yet. And I think it needs to be said. First, I cannot imagine the technology that would provide security. What a person knows, what's the technology that's going to keep that person from doing something wrong with that information. So then it becomes the question of what do you do to control. Who gets to find out. And what policies, procedures, and penalties do you create to in fact try to keep that person from making an inappropriate release of data.

MALE: What you can imagine?

DR. SHORTLIFFE: Well, I can't imagine it right now. Maybe you can. But it seems to me you're talking about technology. You know, little things around your neck that go off if you try to speak. You know, we're talking science fiction right now. Right now, once you know it, it's pretty hard to imagine the technology that keeps from telling someone on the subway about it or on the elevator. But the technology question I do think is important. And that is, is there something inherent about the use of computers that creates greater exposure, greater risk than previously. And, of course, there is in two ways. One is that it's abhorrent to imagine the ease with which someone can put on a white coat, walk into any hospital in this country, pick up almost any chart and read it. You know that's been true, not recently, but for a long time. But you do actually have to physically be there. You have to get at that physical paper chart. And there's the potential once things are in computers, of it leaving the institution where it is presumably managed where it is pooled in other databases possibly without proper adherence to the kinds of protection that would separate identifiers from the actual data. I mean, I think it's a lot less risky to the managing government databases that are pooled if there is literally no way to figure out whose data are in there but rather the characteristics of those data for purposes of public health analysis. And if you know that the government not only knows all the data but exactly whose data those are, go back and find your address, and your phone number and your social security number. And therefore everything that's known about you financially. So, yes, there is an increased risk, especially in the world of networking. There's potentially great risk because someone talked before about hackers. You know, in Germany, breaking into machines over the Internet and getting data. You cannot deny that those are possible.

So, the real question is, are there technological safeguards that make those extremely unlikely? Are they so expensive that no one will implement them? Or in fact with proper inducements and policy do we have pretty good technology in hand right now for protecting against the potential risks associated with such technologies? I think the answer is, there are excellent technologies available. But we're not using them. We're not using them as much in healthcare as Mastercard is using them. There is a portion of our society that has cared a great deal about this. Look at the incredible amount of commerce now being carried out on the Internet. And I feel very comfortable now when I see that Netscape key merge in the lower left-hand side of the Netscape. You know what I'm referring to. That means I've got a secure HTTP server. And I think it is probably safer for me to put my credit card number onto that form going to that company than it would be for me to pick up the phone and give my credit card number by calling an 800 number.

MALE: Or at the restaurant tonight.

DR. SHORTLIFFE: Or when you leave it there. I mean we have to, we have to not just say because it is a computer there's greater risk. There is a tremendous amount of technology that went into making that key connect. When you see that key connect, you probably can save the [unintelligible] credit card number in as long as you know what the site is you're dealing with. I mean there can be inappropriate folks out there on the Internet who will rob you blind still. In terms of is someone listening in, do I need to worry that somebody is going to steal my credit card number off the Internet. I don't think it's a big worry any more. And that's why there's a lot of books being sold by Amazon.com and other examples like that. People have learned that this is a way to do business. And that technology generalizes and has tremendous applicability in healthcare protection as well, but we're not using it.

MS. PLUMB: I want to add two things. One, I think the difference between computerized records and paper records is certainly in terms of things like HIV stigma and discrimination as the examples that my colleague Eileen mentioned. There exists within a computerized system the ability to gather mass amounts of data on mass amounts of people such as those people who are HIV-positive and those people who have had T-cell laboratory tests, that type of thing. And discrimination against any one person is, of course, as deplorable as against hundreds of people. We are now in an era when you can have instantly discrimination against hundreds and thousands of people through a computerized system. I think that's a major difference between computerized and paper records. And I would suggest that we hear a lot of discussion about what can be protected and what can't be protected against security information in the computer. Systems and star wars technology and all of this information about how this can be done if we start with the premise that no information needs to be transferred at any time and then take each piece of information separately and say: does this ever need to be transferred? I think we would be starting at a better place, rather than in the middle of the conversation and saying, well, we know information has to be transferred. And we know it's going to have to be transferred electronically. And we know we can't really protect it. So, what do we do? I know this is tantamount to getting thrown out of a room sometimes, but I suggest that we start a different discussion. What if nothing had to be transferred? Then what would the system look like? And take each piece of information separately. Because I'm afraid we've started at the wrong point of the discussion in a system that obviously has flaws and obviously has the ability to breach access.

DR. ESSIN: [Inaudible]

MS. PLUMB: Probably. But I don't even know you. How could I have set up? This is definitely Star Wars.

DR. ESSIN: It occurred to me and I'm sure it will occur to some other people real soon now that while you are pre-associating all those coding schemes with the individual data facts that you might want to chart on somebody, you can also pre-associate the release category with that fact. So, you can predetermine that somebody's height and weight are of moderate sensitivity and their hair color is of low sensitivity, and HIV status is very high sensitivity. So, by somebody merely including that item in someone's record, it's already flagged as something that should never be released because that was a decision that that organization and that provider made. I'm glad Ted brought up Netscape because it raises an interesting...

You see there's two kinds of secondary release. There's secondary release to somebody's eyeball. If they see a record and they carry it off and they spew it out. But there's another kind of secondary release which is printing the screen of Netscape or saving the screen to a file. Now Netscape has electronic commerce which says that when the little key comes on the data link is encrypted. One of the things that, you know, your committee could recommend is that the Netscape industry be encouraged to make another version of Netscape that has assured capability that the sender of data can turn on or turn off the ability to print the screen or to save to a file. So that before you release a web page of somebody's data to a remote site, you know in advance whether or not you can take control over that PC and turn off the capability to save to a file. Knowing that you had that capability someone might say okay now I can downgrade the release category of this from high to moderate because I don't care if somebody sees it and carries off one or two verbally, but I don't want them downloading 23 screen prints and walking off with it. There's technology that we could have that we don't quite have. And we won't have it unless somebody asks for it in a forceful way.

DR. MOR: Let me ask a question about that. Why is it that the industry has not been responsive to this in healthcare?

DR. YAGHMAI: Cost.

DR. MOR: Cost?

DR. YAGHMAI: Yes, cost. [unintelligible] because right now there are lots of good system designers [unintelligible] because of costs associated with.

DR. MOR: I called Netscape.

DR. YAGHMAI: It's a big issue. You know, when you live in this big environment, it's a big issue. I mean I agree you have to have a good system design, we have good technology available, but the [unintelligible]. It isn't available to us, the health industry. I mean we need to make a decision. Patient care, better information systems, which one has the high paying…

DR. DETMER: Yeah, I agree with your number. $123 million deficit this year. I wrote that down. These are the real tensions.

DR. YAGHMAI: It's so much tension right now for us. And everybody like that. Our office is going crazy right now. Everybody wants to have good date because they try to make a decision to say that to close this hospital or to close the clinic. And when you look at it, we don't have the best technology available and we have to [unintelligible] job. You know, you don't have the best technology. It takes two days. We have many of the records, you know. And they want to have the [unintelligible] patient [unintelligible]. The cost is a big issue.

DR. SHORTLIFFE: It is. I agree it is. But it is interesting to ask. I mean this is a huge industry. I mean and so why is an industry this large not able...

MALE: Fifteen cents of our gross domestic product.

DR. SHORTLIFFE: So why does it not drive more the creation of such technologies? And this really has to do with healthcare as an industry being incredibly fractionated, poorly coordinated, no shared vision about things like this. And frankly very little government leadership in helping people understand it better. I do not believe that it would be too expensive if there was consensus among healthcare institutions and organizations about what was required. The standards begin to evolve, the industry would say thank heavens, finally we know what to do, and if we do it, there's going to be a market for it. Right now, because of the lack of that market, people are buying bad quality information systems and putting them into hospitals because they don't have expertise for making these kinds of decisions, they're not getting adequate guidance, and as a result, you can sell pretty lousy stuff into the healthcare industry that has no security built into it. And everybody says well we don't know exactly what our health policy for data security is in this institution anyway, and, you know, this will keep somebody happy. And so they're investing in some of these. You know, until the healthcare industry gets its act together, costs, disagreements, lack of standardization and so forth are going to keep it from happening. This I think is an ideal example. Where there is a role for Federal Government leadership.

DR. LUMPKIN: And also by and large it's an industry that's not automated. And when I say not automated, I mean the financial reimbursement process is automated. But the business of delivering healthcare is not automated, which is a physician, another caregiver, interfacing with a patient to help that patient get better. That process is not and has not been automated. And so in that regard, where we look at what automation has occurred, it has been to replicate the business processes in an information environment has not been as many other industries learned, a re-engineering of that process. So, in fact, what we do is take a poor system of handling records on paper and we've just developed a poor system of handling records on computers that mirrors that whole system.

DR. SHORTLIFFE: I'll do this quickly, and Bill knows what I'm going to say too. I sit on another commission a little bit like this, advising the White House on issues having to do with the Internet and its planning. And part of what we've done in this committee is hear a lot of briefings by the various Federal agencies that are involved in both current Internet policies with development of a variety of facilities that currently use the Internet, sharing their vision about where it's going, and the striking thing about it is that every single Federal agency except Health and Human Services, has many activities and understanding, and educational programs, and policies in this area. And healthcare, even at the Federal level, has failed to understand fully the role of technology in advancing their business, if you will.

But if you look at the Department of Defense, Department of Energy, Department of Commerce, NSF, NASA, NIST, they're all fully involved in this. And the healthcare research agencies at NIH and National Library of Medicine are sort of trying to be the proxy for all of healthcare right now when it comes to this. And there are similar problems at the state and the regional levels. And I think count a great deal. And the competition that exists under the current healthcare financing scheme accounts to a large extent to why this problem that we've identified is the way it is. We just have not gotten our acts together. We're way behind. It's sort of like a joke around the table about healthcare has failed to really figure it out the way other organizations have.

DR. ESSIN: The answer to your architecture question is: yeah, about two-thirds of the problem is lack of a good architect.

DR. SCHILLER: I would suggest, however, that it's faulty to look at healthcare as similar to other industries and even actually to other departments of government at this point. There's no other industry in which the people receiving the services are not the ones paying for the services and directing the care. We have a system of third party providers and in the system, at least as of 1990, 76% of medical care was paid for by third party payers and not paid directly by the patient receiving the care. And I would suggest that the point at which we had a system in which patients were paying for the care, you would see technology and innovation continue in as much as it was useful. When you go on to Netscape and you go buy something, you have a person paying for the service, who wants the service, who is also concerned about their financial privacy.

DR. LUMPKIN: Let me just add one thing because it actually proves your point.

DR. DETMER: I'm going to be closing this very shortly, and I get the last word. So...

DR. LUMPKIN: In Illinois, there are 2.4 million students who go to school, and they don't pay their own way. And one could comment on the quality of their education.

MS HANSEN: If I could just respond to Dr. Lumpkin's question just very briefly. I think it's important for me to note that our concerns are not based on the fact that we do not agree with an electronic system. I think we understand that it's here, and there's not a thing that we're going to be able to do about that fact. And that may not be a bad thing. But I think our main concern, or certainly one of our main concerns with regard to the increase in problems with an electronic system as opposed to a paper system, is the networking aspect. And I think it takes us back to how much information gets shared, with whom it gets shared, in what ways it gets shared, what kinds of punishments and penalties are in place for the inappropriate sharing of that information, and then what the monitoring is of such a system.

But I'll just give you one example of our concern which is reflected in my experience sitting on a statewide TB implementation plan in the state of California, looking at how to develop new policies around TB treatment and certainly looking at the intersection of HIV and TB. And in the course of discussing how little information providers felt like they had with regard to HIV and their need to have that information in order to appropriately treat their patients with TB. One of the representatives of one of the HMO's in this state said, you know, we can't get access to the kind of information about HIV that we want. But we do have a very big system with regard to information about the kinds of medications that our TB patients are on. And all we have to do is go into that system, look at the medications that our patients are on, and we know what kinds of medications people with HIV are taking. So, if you are not going to give us the information with regard to HIV status, we'll find out ourselves. And we can do that. So, I think that is certainly something that shows me that there's potential for great harm, and great misuse of the system, that comes directly out of the network that we're talking about. And that's why, in my mind, an electronic system needs to be developed much more carefully than the paper system. Although we certainly have problems with the paper system as well.

DR. DETMER: The tension that I think we face in our society is how do we get enough convergence from enough of the people, that really are well-intentioned and worry about it, to get something on the books. And that's the struggle: the tension between the perfect and the could, or what we got. And I think that is really a practical, major political problem that we face in resolving this.

Two last comments and we'll adjourn. First, I thank all of you. I also appreciate you folks that were here earlier stuck around. Comment during the Clinton health reform, it was an interesting question to a person in the street at the time of that about the concept of government medicine, the welfare system. And a person was apparently overhead saying I don't want Government medicine, but don't take my Medicare away from me. The other more upbeat point, and I think it really is upbeat: Edwin Land had a comment, "don't work on anything unless it is terribly important and virtually impossible." I think we've found it. But at least we're struggling, I think, on the right issues. And I thank you very much. We'll be adjourning until tomorrow morning at nine.

(End of session.)