[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201
AGENDA ITEM: Call to Order, Welcome and Introductions – Simon Cohn, Chair
DR. COHN: Okay, we're going to get started here in just a moment. Now, just a check here; Stan Huff, are you on the phone?
DR. HUFF (on phone): Yes, I am.
DR. COHN: Okay, great. Welcome. Okay, would everyone please be seated? We'll get started here momentarily. I want to apologize to everybody for running a couple minutes late. On the other hand, in California it is 5:43 in the morning at this point, so –
Good morning. I want to call this meeting to order. This is the second day of meetings of the Subcommittee on Standards and Security of the National Committee on Vital and Health Statistics. The Committee is the main public advisory committee to the U.S. Department of Health and Human Services on national health information policy.
I'm Simon Cohn, Chairman of the Subcommittee, newly appointed Chairman of the full Committee, and the Associate Executive Director for Health Information Policy for Kaiser Permanente. I want to welcome fellow Subcommittee members, HHS staff, and others here in person; also welcome those listening in on the Internet, and as always, I want to remind everyone to speak clearly and into the microphone.
This morning, we begin with a presentation by the Designated Standards Maintenance Organizations presenting their annual report, and I want to thank Gary Beatty for coming out to join us. This is just a first discussion this year of the DSMO reports and recommendations and we'll be having wider discussions of the DSMO recommendations as well as industry comments at our April 6th and 7th hearings.
Then we will spend the remainder of the morning on Subcommittee discussions of our next set of e-prescribing recommendations, and then we'll finish up with a discussion basically relating to any comments we may want to make relating to the new proposed regulation relating to e-prescribing and planning for next steps.
As noted on your agendas, we're trying to adjourn no later than 12:30.
I want to emphasize that this is an open session. Those in attendance are welcome to make brief remarks if you have information pertinent to the subjects being addressed.
Finally, for those on the Internet, we do welcome email and letters on any of the issues coming before us today.
With that, let's have introductions around the
table and then around the room. For those on the National Committee, I would ask if you have any conflicts to interest coming before us today, would you please so publicly indicate during your introduction? And we will obviously include Stan Huff, even though he's calling in, as part of those introductions. And, Stan, why don't we start with you, since I'm mentioning your name?
DR. HUFF: Okay. This is Stan Huff. I'm with Intermountain Health Care and the University of Utah in Salt Lake City, and I will be with the meeting until about 11:30, Simon, and then my other conflicts come into play.
DR. COHN: Okay. Well, thank you. Do you have any conflicts?
DR. HUFF: Not as far as I know right now.
DR. COHN: Okay.
[Laughter.]
DR. COHN: Until we discuss something, hah?
[Laughter.]
DR. HUFF: Well, I guess with the DSMO, I mean, yes, just let people know that I am a Vocabulary Co-Chair within HL7 and a previous Chair of HL7, so I guess people should be aware of that as a potential conflict.
DR. COHN: Okay, and well said. Jeff?
MR. BLAIR: Jeff Blair, Vice President of Medical Records Institute, Vice Chair of the Subcommittee. I don't
expect there to be any conflicts; however, it should be noted that my employer heads ASTM E31, so if a discussion or a vote comes up related to that, I'll point that out.
MR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, staff to the Subcommittee and liaison to the full Committee.
DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and Quality, staff to the Subcommittee on Standards and Security, liaison to the full Committee.
DR. FERRER: Jorge Ferrer, Veterans Health Administration, staff to the Subcommittee.
MR. BEATTY: Gary Beatty, 2004 Chair of the Designated Standards Maintenance Organizations and also current Chair of the X12N Insurance Subcommittee.
MS. AMATAYAKUL: Margaret Amatayakul. I'm a contractor to the Subcommittee.
MS. PICKETT: Donna Pickett, National Center for Health Statistics, CDC, and staff to the Subcommittee.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics, CDC, and Executive Secretary to the Committee.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, member of the Committee, and no conflicts.
MS. WARREN: Judy Warren, University of Kansas
School of Nursing. I'll have to declare the way Stan did for the DSMO report because I am Co-Chair of HL7's Patient Care Technical Committee.
MS. BURKE-BEEBE: Suzie Beebe, Assistant Secretary for Planning and Evaluation, staff to the Subcommittee.
MR. MUSCO: Tom Musco, in the Office of Health Policy of ASPE.
MR. BIZZARO: Tom Bizzaro, First DataBank.
MS. HELM: Jill Helm, Allscripts.
MS. ECKERT: Karen Eckert, Medi-Span.
MS. GILBERTSON: Lynne Gilbertson, National Council for Prescription Drug Programs.
MR. BROOK: Richard Brook, ProxyMed.
MS. REED-FORQUET: Lori Reed-Forquet, ASTM.
MR. SCHUETH: Tony Schueth, Point-of-Care Partners.
MR. SIMCO: Mike Simco, Walgreen's.
MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics, CDC.
DR. COHN: Okay. Good morning, everyone. I guess I should also publicly disclose that I'm a member of the National eForum Claims Committee representing America's health information plans, so I think you're going to be testifying to a pretty conflicted bunch, Gary!
[Laughter.]
DR. COHN: Obviously, the reason we're all here is we're all experts in the field, and as you know, that involvement sort of goes along with that. But anyway, we look forward to your testimony, so please go forward.
Agenda Item: DSMO Annual Report – Gary Beatty
MR. BEATTY: Very good. Well, good morning, and thank you for the opportunity to testify before you this morning to provide the 2004 annual DSMO Report.
Before you, you have two different hand-outs; you have one hand-out that is the actual report for this past year, and then you also have the detail that goes with it, the appendix.
This year, our DSMO annual report will focus more on the process improvements to the timeliness and predictability of the changes that HIPAA has imposed on the standards development process from both a short-term emergency perspective and a long-term perspective process rather than our ongoing change request process.
This DSMO report covers a total of 16 months. During this period, the DSMO only had 35 change requests. The monthly volume of submitted DSMO change requests dropped from 11.4 to 4.2. The number of change requests completing the DSMO dropped from 8.4 to 2.2 monthly. This year, the DSMO did not receive any new appeals; one appeal
from the last annual report was completed during this last reporting period.
The reason or reasons for this decline in the change requests are unclear. One possibility: It's a sign of the maturity of the health care industry's implementation of the current transaction standards. Another possibility is the change requests can be submitted directly to the Standards Development Organizations, the SDOs, rather than the DSMO change request system.
The SDOs either track already or are developing processes to track modifications to show DSMO change requests versus the DSMO change process. Whatever the reasons, there is continued need to insure that the change request protocol remains responsive and appropriate to the needs of the community being served, and the DSMO Steering Committee has done so.
During this period, the DSMO began processing its first request to adopt a new version of an already adopted HIPAA transaction. The DSMO is currently requesting the collection of supporting cost/benefit information from the industry such as WEDI, AMA, ADA, AHA which will be presented at a future hearing to begin the next steps towards processing the adoption of the new version of a HIPAA transaction.
On Page 3, we have a graph that shows the number
of change requests processed, excluding withdrawn changes, since the DSMO started processing change requests. As you look at the chart, it clearly showed the time frame for the fast track – which is the first spike that we have back in 2001, in February, where we went through the changes that were allowed during the first 12 months after the transactions were adopted; it also shows the other spike that we had just before the Oct. 16, 2002, transaction deadline. And then it also shows the tapering off the change request workload that the DSMO had been processing on a monthly basis.
The DSMO has taken steps to improve the overall change management and development process in two ways. Most notably, public improvement has been a major revision to the DSMO website, which is www.hipaa-dsmo.org, which supports the change request system. The site now requires a more robust change request submission, and all requests in the batch need no longer proceed in lockstep so that we can separate them out and process them at different stages.
The CRS support of the code set change requests is on the horizon. Further, the DSMO continues to work with HHS on ways to facilitate implementation of the existing HIPAA standards and arrive at processes that expedite change arising from regulatory requirements.
The DSMO Steering Committee wishes to express its
appreciation to Washington Publishing Company for its continued and outstanding support of the HIPAA-DSMO website. The DSMO also wants to recognize the individuals and organizations that constitute the Standards Development Organizations and the Data Content Committees. Their participation furthers the cause of administrative simplification. And we'd also like to recognize our HHS observers, Stanley Nachimson and Gladys Wheeler.
Those organizations that are represented are on Page 4 – myself, Larry Watkins and Alix Goss from an X12 perspective; Health Level Seven, we have Maria Ward and Chuck Meyer; from the National Council for Prescription Drug Programs, Margaret Weiker and Lynne Gilbertson.
From the Data Content Committees, we have Frank Pokorny and Robert Lapp from the Dental Content Committee; the National Uniform Billing Committee, George Arges and Todd Omundson; and the National Uniform Claim Committee, Jean Narcisi and Michael Beebe.
I'm going to continue with the report on Page 6 of the report, which kind of dives a little bit deeper into the change requests that we've received during the past 16-month period.
The DSMO Steering Committee report basically ranges from March 31st, 2004; it covers the period from May through June. This was a 14-month period. That was our
prior report. This one is going to be a 16-month report, so when we compare the numbers, we really are trying to break down with kind of disparate numbers a month for reporting, so we have focused more on the percents than the actual numbers.
But the first series of charts here basically show the total changes that were submitted. We do have two categories in here for changes that are removed either by the administrator for basically silly questions that are submitted and things that really are not germane to the DSMO itself; we also have those that are removed from the submitter on here. We have the total number that we did process, the 35 change requests, and then we have on here the one appeal that we did process.
So, during this reporting period, the number of change requests submitted has dropped by 63 percent. The number of change requests actually completing the DSMO process dropped by 74 percent. Actually, this last month, we actually had one month where we did not have any change requests at all, which is actually the first time for us.
And we've also seen a drop in the number of change requests that are being actually withdrawn by the submitters.
On Page 7, we break down each of those 35 change requests by the various categories we identified for those
change requests. That includes modifications; these are changes that do impact those that are using the transactions, and we did receive 12 of those.
Maintenance changes are those changes that really do not impact the actual implementation but are more clarification types of language and so forth that help make the implementation clearer.
Category D is basically no change, makes no change to the actual transaction standards. We did have one for HHS policy.
And then on Page 8, we have one new category that we added just this last year, which is Category I, for recommendations for adoption of the new or modified HIPAA standard. These are items that are classified that result in a recommendation to the National Committee on Vital and Health Statistics for the adoption of a new or modified HIPAA standard. Examples might include a request for a new transaction or a new version or release of an already named standard for a given transaction.
This is a new category for us. We created this last September as we received a change request to adopt a new version of the 835 transaction for health care claim payment/remittance advices, and we'll highlight that in a few seconds.
Again, Appendix I completes the complete list of
all of the changes sorted by category, their definitions, and both the requests and the DSMO response.
Three of those change requests we do want to highlight. That is, Change Request 795, which was an appeal that was part of our last DSMO report that now closes out that report. This change request also resulted in the NUBC and ASC X12 attaining agreement on the definition of various provider types.
Change Request 1005 includes a special note because of an impact to the ICD-9 for bed confinement status which could have an impact on future implementation.
And then we have Change Request 1008, which includes the request to adopt a new version of a HIPAA-mandated transaction, that being the 835 transaction.
So for Change 795, go to Page 11, just as part of this one where we were dealing with provider types. As part of those deliberations, the DSMO, specifically the NUBC and the X12 examined the usage around all provider types – attending, operating, et cetera. As a result of looking at the request from a broader context and other business needs in addition to the Medicaid situation that was identified in this change request, we have put together a recommendation that satisfies the business needs. So, again, working a lot more with collaboration between the DSMOs.
In Change Request 1005, again, the NCVHS notice during this process of developing the disposition for this change request that dealt with bed confinement, we did learn that there is a new diagnosis code for bed confinement status that was proposed in the October, 2004, ICD-9 Coordination and Maintenance meeting. If approved, that could impact how this segment is used in future implementation.
So I just kind of wanted to highlight that, as we look at codes and so forth, the impact of those possible new codes to the actual transactions that may require future changes down the road.
Then finally, Change Request 1008, the third of these three – we did receive, again, the request to adopt a new version of the 835 for the permits advice claim payment. The DSMO are currently working through the process. We have tentatively approved it, pending the collection of additional information from a cost/benefit perspective to support this recommendation through industry outreach, and we're working through organizations such as WEDI, AMA, ADA, and the AHA. This information will assist the National Committee on Vital and Health Statistics and HHS in the decision to initiate a Federal regulatory process to adopt this new version of 835, claim payment remittance advice.
The DSMO would ask to be added to the agenda of a future NCVHS Subcommittee on Standards and Security hearing to present our official recommendation and support information to adopt this new version.
Some of the other initiatives other than the change request process – the DSMO and the Steering Committee are continuing to address other matters that related to the implementation standards. Some have been completed; others are still ongoing projects. The Steering Committee appreciates the opportunity, again, to support the HHS and the NCVHS efforts to identify and address issues related to HIPAA-adopted standards.
Number one, basically we're looking at the new website. Improvements to the DSMO website providing improvements in functionality, more accurate and complete capture of information, ease of use have been completed and were installed in June of 2004.
Some of the enhancements include the enabling of the posting of responses to requests that have completed the process without delay requesting of the pended extensions; adding more structured questions to the change request entry forms instead of relying exclusively on free-form narrative text; we did have changing the request contact information, and then we also added the ability for the requester to revise change requests before the end of
the month so that as they submit change requests, rather than once it's submitted, cutting it off, we do now allow them to make changes.
Streamlining of the HIPAA standards maintenance process is probably where we spent most of our time this last year, is Item Number 2, which is also one of the major items that came out from last year's report.
During the past year, we have focused much of our efforts on this. These efforts have been concentrated on an emergency maintenance process as well as a long-term modification process which are consideration within the bounds of the regulatory process.
The emergency process maintenance is the process that allows for the industry changes to be made to an adopted HIPAA implementation specification between modification cycles. The Department of Health and Human Services is preparing a Notice of Proposed Rule Making (NPRM) to propose changes to the definition of maintenance under HIPAA. The NPRM will outline and request comments on a proposed streamlining process to the change process. This process would streamline emergency changes through the DSMO, the SDO, and HHS, thereby reducing the timeline for maintenance changes.
The DSMO is currently waiting for the NPRM to be published to be able to provide comments along with possible adjustments to this maintenance process as a result of the final regulation.
The modification process is the process that must be followed to name a new version of a HIPAA transaction or to name a new transaction. The modification cycle for adopted HIPAA transactions includes the DSMO change request and approval process, the SDO's development process, the Federal regulatory process to adopt the newly named version or a new transaction implementation specification, and the industry implementation of a newly named version transaction implementation specification.
This is a multi-year process.
Another outcome of the HHS-DSMO discussions is to develop a more predictable process for the modification of the HIPAA-adopted transaction standards. If, for example, an SDO can publish a new version every two years and the Federal regulatory process takes an additional two years, in the best case there would be a new version of the implementation specifications once every four years. The DSMO is evaluating a predictable time frame that can establish for the industry to be notified that new versions of transactions are named and to be implemented.
Looking ahead, the DSMO will complete the collection of supporting cost/benefit data supporting the recommendation to adopt the 004050 version of the 835
Health Care Claim Payment/Remittance Advice. The DSMO, again, would ask to present this in an upcoming Subcommittee meeting in the future.
The DSMO are waiting for, again, the definition for maintenance under HIPAA in the NPRM and will adjust to that as it comes out. And the DSMO are looking to continue to look for process improvements to develop a more predictable, manageable, and efficient change process. Each of the Standards Development Organizations will be working with HHS representatives to evaluate the redundant processes where possible, including the public comment period, to streamline that.
To close, this report reflects both completed and ongoing efforts which will be the subject of reports in future hearings. The DSMO as a collective organization continues to demonstrate its ability to merge both the business and technical perspectives of the transaction standards as well as emergency change and modification processes. The DSMO is well-positioned to assist the National Committee on Vital and Health Statistics and HHS in recommending modifications to the HIPAA-adopted standards or new standards yet to be modified.
With that, I'd like to entertain any questions from the Subcommittee.
DR. COHN: Yes. Well, Gary, thank you very much. Obviously, I guess the proposal to, I guess, move to the next version of the 835 is really the news here.
MR. BEATTY: That's really the news. But at this time we're not ready to make that official recommendation. As we deliberated that, we needed to be able to collect the necessary information to go along with the guiding principles of HIPAA itself. It may help the industry be more cost effective. What is it going to take the industry to transition from one version to the next? What's the cost? What's the benefits?
And, again, we're doing the outreach to be able to collect that information, and as soon as we complete that, then we'll be in a position to actually make that recommendation to the Subcommittee.
DR. COHN: Do you think that will be an early April deliverable potentially or is that too aggressive?
MR. BEATTY: The hope is to have that ready for April because the Department of Health and Human Services is working right now an NPRM that's going to be coming out this summer, and the hope is to include this in that regulation.
DR. COHN: Okay, great. Thank you. Michael, I saw you raising your hand. Please?
DR. FITZMAURICE: This is a very positive report.
It seems to say that the DSMO process is settling down and that we can focus on how to make it better and that that's what you've been doing in the past year.
I know we've been anxious to find out how we can streamline things on our end, how we can make things go faster, either the regulatory process or to find an alternative, and it looks like the DSMOs have been doing the same thing.
Simon asked the question I asked, which was: When do you think you'll be ready to report? So, I don't have any further questions. Just – good job, Gary.
MR. BEATTY: Thank you.
DR. COHN: Harry?
MR. REYNOLDS: Yes. On Page 12 of your testimony, you talk about the outreach that you're doing with the industry. One thing I don't note on here is things like AFFECT or, just to use examples, WebMD, some of the others, because if you look at the implementation of HIPAA, a lot of the vendor situations and what it would take – when a cost/benefit is looked at, and when input's given, that may be another good set of people to reach out to, because that's always kind of the quiet part of HIPAA.
MR. BEATTY: Yes, absolutely.
MR. REYNOLDS: The providers and the payers and everybody are focused on what it means –
MR. BEATTY: Right.
MR. REYNOLDS: -- but the conduit that actually delivers it tends to be those other people. So that might be a good addition to at least consider.
MR. BEATTY: Yes.
MR. REYNOLDS: And you may have already done that, but it wasn't noted in here, so –
MR. BEATTY: Yes, absolutely, because as we look, so many of the covered entities in HIPAA are very dependent upon the software vendors and that's definitely one of the categories of groups that we want to outreach because they will have to go through and make modifications possibly to their software product and so forth, and that's part of what we have to collect as far as the cost side. So we can identify with the benefits side and in the outreach, we need to be able to collect: What's the cost of making this transition?
MR. REYNOLDS: Yes. Thank you, sir.
DR. COHN: Other comments or questions? I guess I would ask obviously – I think perhaps it's heartening – I don't know whether it's heartening or not to look at the falloff in new suggestions, proposals or otherwise. Do you think it relates to that either people have stabilized, people are focused on the security implementation at this point?
I guess the other piece of all of this is that it doesn't sound like you're getting a lot of requests to move to move the other transactions forward at this point.
MR. BEATTY: Again, I wear a lot of different hats, so from a DSMO perspective, we really don't track the whys of what change requests are falling off and so forth, so we really can't say.
Other transactions are moving forward, from an X12N perspective and an X12 perspective. We are working very diligently on Version 5010 implementation guides right now, some of those of which are already starting to go through the X12N process to have public comments collected so that we can move towards a final version of those.
As we progress in the future, we will see more requests similar to the 835 to adopt newer versions of those. A lot of them are just excellent documents that are cleaning up a lot of things that we need to clean up within the industry and also to address the change requests that the DSMO have received that are post fast-track process. I hate that word. But there's a lot of change requests that we've processed since then, and the newer version of the guides are incorporating those, and so we're working through that next version of the implementation guides at least from an X12 perspective and we'll see those change requests coming forward as well in the future.
That's part of what we're trying to wrestle with right now within the DSMO as we look at both the short-term and long-term process, especially the long-term process. How do we manage change for the industry so that we have a more predictable process for transitioning in that we don't do all nine transactions in the shotgun effect all at one time? And we're trying to find a very predictable mechanism and very timely process for moving from one version to the next.
DR. COHN: Let me ask just a follow-on question about that because I think it's a very reasonable model. I think it is a lot to change everything at once.
You know, the Subcommittee, in our discussions around e-prescribing, has, I think, recommended the Secretary this concept of backward compatibility and that if things are backward compatible, maybe it wouldn't have to go through the entire regulatory process.
Now, does that help or in any way apply to any of the transactions that we're talking about? I'm talking not about specifics but more like the concept; is that at all valuable or useful when we're talking about the administrative and financial transactions?
MR. BEATTY: Well, as we look at the two different processes, the redefinition of what maintenance is versus modification is, we're working with HHS to
develop that supporting information for the regulation that's coming up. Those changes that we're looking at as far as a maintenance type of change, again, we don't know exactly what it says in the rule, but it's anticipated that those changes won't have to go through the full regulatory process, versus, you know, when we do change from one version of a transaction to another or adopting the transaction itself, that that does still have to go through the full regulatory process.
Next week, X12 and NCPDP and others at the X12 meeting in Nashville, we're going to be talking about other mechanisms to help streamline, and possibly overlapping comment periods and so forth, again, looking at different ways to improve the process so that we don't have to take four years or so in between versions. You know, we still have to balance out what's too much change and too frequent versus not having enough change within the industry because every time we do change, there is a cost to the industry to make those adjustments. So it's a balancing act between the processes, so, again, we're looking to see what the regulations do say relative to maintenance and what's allowed there versus what it takes to adopt new versions.
DR. COHN: Okay, well, let me just follow-up on that for just a second because I do understand what you're saying. Obviously, though, what you will see this summer
optimistically is a proposed rule –
MR. BEATTY: Right.
DR. COHN: -- as opposed to a final rule, so I think that there's a potential difference. What I was actually just asking, and you may want to bring back to the DSMOs just to ask them about, I was just wondering if there was any value to perhaps looking at it differently.
Obviously, the modification pieces that you've talked about are fine for emergency changes to current versions, but you still are going through the process that we're describing for version changes.
MR. BEATTY: Right.
DR. COHN: And once again, I don't know the X12 transactions at the level whether the compatibility is at all helpful or might ease some of that transition either for the industry or for the regulatory process. And so it was just a question. You may want to talk about it in April.
MR. BEATTY: Right. And actually, part of our 835, we're recognizing that the transactions, we don't have to all stay in the version, that, you know, if we're on, say, for example, 4010 versions of the claim, that the 4050 version of the 835 can be used to respond to that claim for a remittance perspective. Certainly, backward compatibility works, and we all are striving with that
within our standards to make sure that if we do move from one version to the next, is there backward compatibility? We still have to deal with the requirements in the regulations that says that only one version of any given transaction can be active at any given point in time short of the transition time.
DR. COHN: Okay. Jeff, you have a question?
MR. BLAIR: Yes. Congratulations for your progress.
MR. BEATTY: Thank you.
MR. BLAIR: This is a question that is not directly related to what you do but maybe you're in a position to give the Subcommittee a little bit of guidance or advice on this topic because it's related. Well, you're probably aware of the fact that in many cases, payers have developed companion guides and they differ.
MR. BEATTY: Yes.
MR. BLAIR: And it undermines the ability of providers to submit their claims in one single format and standards. The concept of HIPAA is eroded to some degree by the companion guides. What guidance or advice do you have for the Subcommittee as to what might be done, or could be done, or should be done to either minimize the need for companion guides or converge the companion guides? What guidance or advice do you have on this subject, if
any?
MR. BEATTY: Okay. I'm going to take off my DSMO hat to answer that question, and I'll just put my personal hat on. You know, when you look at the X12 and implementation guides, any of the standards documents you look at, just because of the variability in the health care industry, there's always going to be some situations that need to be – I like to use the word "over-clarified." Some of the situations are in the guides; they state they're dependent upon a specific relationship between payers and providers.
We don't have one type of health system, we have different varieties, and so forth, so there is some room and latitude for some flexibility. There are some things that need to be over-clarified between two trading partners. What type of document people use to do that can change, can vary. Some organizations use trading partner agreements, some people call them "trading partner profiles," and a lot of people call them "companion guides" or "companion documents."
I believe there's always going to be a need for supplemental information to clarify some of those different types of situations.
The hard part with companion guides is how some organizations out there have misused what a companion guide
really is intended to do. And, really, a companion guide is meant to over-clarify what is not clear in the implementation guide where there are certain situational requirements in the documents that say that this requirement is used at the discretion of the submitter receiver. We have some content that's required by payers that impacts their adjudication process for certain types of health plans.
So the companion types of documents are meant to over-clarify where the guide says you're supposed to clarify something. The problem is that some in the industry have misused that where there's actually changing the meaning and intent of the implementation guide itself, and that's where the industry really starts to run into problems.
So, companion guides are good and bad at the same time and in a lot of cases they're very needed documents to clarify the business situations that are in the implementation guides but at the same time we have to guard against organizations misusing it and basically changing the meaning and intent of the underlying HIPAA standards that are being adopted.
MR. BLAIR: Do you think it's possible for you or some other appropriate group to be able to clarify where the boundaries should be on the companion guides as to what areas of clarifications are appropriate and reasonable and which ones impair standardization and interoperability?
MR. BEATTY: Well, I know from an X12 perspective, no. You know, the question probably would be some of the other industry organizations, such as WEDI and so forth – I know WEDI's taken a lot of efforts collecting and disseminating a lot of the companion guides and so forth – you know, is that something that an organization like WEDI should take on? So they can go out and collect information about what are people using the companion guides for? What are the correct uses? What are the incorrect uses of companion guides? Putting together essentially a white paper that could describe that –
MR. BLAIR: Okay, good.
MR. BEATTY: -- probably would be my recommendation.
MR. BLAIR: Thank you.
DR. COHN: Well, Gary, thank you very much. I think we're all very impressed with the progress being made by the DSMOs and we'll look forward to talking with you more. Oh – Harry, do you have a question? I'm sorry.
MR. REYNOLDS: Yes, it's all right.
DR. COHN: Oh, please. Thought I was finishing up.
MR. REYNOLDS: If out of the review of the
companion guides comes recommendations to changes in HIPAA, reclassify situational fields which -- your earlier point --- that's the actual ones that create a lot of issues because they were put in the regulation as situational, which means based on the relationship between the people doing business, that there's a situation then that needs to be sort of clarified.
MR. BEATTY: Well, there's actually not that many change requests that put it at the discretion of the submitter receiver. A lot of the situations define the business situation, if that business situation is true or false.
But the problem comes in where it's really at the discretion of the submitter receiver that a given transaction –
MR. REYNOLDS: The X12 regulation gives definitions of what should be in individual fields. It does not necessarily go into relationships.
MR. BEATTY: Define "relationship."
MR. REYNOLDS: Admission and discharge date versus procedure date versus those kinds of things.
MR. BEATTY: Well, the guides do define those –
MR. REYNOLDS: Okay – it defines the fields, but not the relationship.
MR. BEATTY: Right.
MR. REYNOLDS: Okay. Because as we go forward, as you look at X12, I think relationships -- and that's where the black and white standard is what's creating the industry a whole lot of mess right now, philosophically, because it's a black and white standard but data has relationships -- and so trying to work those out amongst all the people with contracts and everything else.
So I'm really excited about your process. And I think as these companion guides get worked out through WEDI or whoever works it out, then your streamlined process of moving some of that stuff that comes out of that into change can move things along quickly.
So that's the real positive out of today that I saw, Simon, was the fact that with their streamlined process, and the fact that you don't have that huge backlog that you had the last few times you came in here, I think with the WEDI study that comes out and then some of the things that were mentioned that were going on, if that comes out with some kind of an answer, then I think we might be in good position to really make that much more streamlined. So I think that would be good.
MR. BEATTY: In a lot of cases where we can't specify the relationship of data content, we do, but there are some cases where we can't define it, you know. For example, if you have an auto accident, we have situation
language that requires that you have the state code in which the state occurred, but if it happened outside the United States – so we have a lot of those types of semantics where we can, in the implementation.
But again, there are certain cases where you can't clearly, black and white, always define the semantics between two different pieces of information because you may only have an admission data; you may not have the discharge date yet, so you can't put it. But it says, if you do admission, you have to have the discharge date.
But we do have separate places within the guides, so this is where the admission date goes, this is where the discharge date goes.
DR. COHN: Well, hopefully we will talk more about it in April –
MR. BEATTY: Yes.
DR. COHN: -- as we move forward. Suzie, did you have a question?
MS. BURKE-BEBEE: Kind of. After hearing Gary's presentation and then reflecting back on the hearings that we've had for e-prescribing, it's made me think about seeing that we have the same stakeholders. And thinking process and the speed that we need with e-prescribing, I wondered if the Subcommittee thought that it would be advantageous to the Department to expand the MLU beyond
HIPAA, to maybe use the DSMO process for fielding IT comments during the NPRM process for e-prescribing. Is it a loaded question?
DR. COHN: Yes, I don't choose to comment on that, but maybe others on the table would like to make a comment.
MR. BEATTY: I'm not sure I understand the question.
MS. BURKE-BEBEE: I'll let it rest.
[Laughter.]
DR. COHN: Okay. We can reflect on that, I guess, if we want to make a comment to the NPRM around all that but I guess I'll have to think about it a little bit. I think the rest of the Subcommittee is sort of nodding their heads that they're going to have to sort of think about it a little bit, but we have to talk about it.
Any other comments about that or any other –
MS. GREENBERG: I'm not sure I understood the question.
DR. COHN: The question or the comment?
MS. GREENBERG: Suzie's question, yes.
MS. BURKE-BEBEE: We'll talk later.
DR. COHN: Okay. Any other comments? Gary, thank you very much. I expect we will see you back in April.
MR. BEATTY: Well, you'll either see me or you'll see my next replacement. That will be Todd Omundson, who's the 2005 Chair. So this kind of concludes my role as the Chair. I'll let Todd take over from here.
DR. COHN: Actually, I just want to take this opportunity – I mean, Gary was telling me that he's obviously finishing off his Chair of the DSMOs, and we all really thank you for your service. And then I understand this is also your end as being Chair of X12 and –
MR. BEATTY: Right.
DR. COHN: -- so obviously I'm sure they are very appreciative, as are we, of your effort and energy and all of this, so thank you.
Okay – well, anyway, we will talk more about this in April, Gary, with you or your replacement, then. Thank you.
MR. BEATTY: Yes, thank you.
DR. COHN: Stan, do you have any final comments, or otherwise?
DR. HUFF: I don't. I've been listening with interest.
DR. COHN: Okay.
MS. FRIEDMAN: This is Maria. I'm going to be emailing you a chart about your availability -- I'm trying to set up a conference call – with some times and stuff.
Stan?
DR. HUFF: What's that?
MS. FRIEDMAN: Stan, yes – it's Maria. I'm going to be emailing you a chart. We're trying to set up a conference call, so I'm going to go down and do that, so if you look for it, I'll appreciate it.
DR. HUFF: Okay. Yes, I'm connected real time right now, so I should get it as quick as you send it.
MS. FRIEDMAN: Great. Thanks.
DR. COHN: Okay. Well, now I'm going to suggest that we take a 10-minute break at this point before we sort of start launching into e-prescribing. So, we'll give everybody a 10-minute recess here.
[Break from 9:28 a.m. to 9:50 a.m.]
DR. COHN: Okay, we're going to get started here. Would everyone please be seated? Okay.
Now, what we're going to be doing during this session is continuing our review of sort of the – I think what has been described as an early first draft of recommendation letters. Yesterday, we went through for the first time and began to make comments, both wordsmithing and conceptual, related to sort of the background information.
Agenda Item: Subcommittee Discussion of Draft Recommendation Letter
DR. COHN: This morning, there'll be some
potential draft observations that the Subcommittee should consider. These, I think, are just, at this point, as I said, early draft, sort of proposed, subject to significant wordsmithing as well as they may or may not be the right recommendations, and we sort of need the judgment of the Subcommittee on that. The other question will be what additional recommendations we may need to have.
So I'm going to turn it over to Margaret.
Jeff, do you have any comments as we move into these?
MR. BLAIR: The only comments that I might have for the audience so that you can put these observations and recommendations into context is, as Simon said, this is really the first time we're discussing as a Subcommittee these observations and recommendations, and Margaret and I prepared a couplet, a pair, and there probably will need to be many more observations and recommendations.
And for those of you who were not familiar with the initial set of recommendations in September, we adopted a format which was different than we've done in the past where, in order to deal with the complexity of issues that we're addressing in the recommendations, we would wind up having one or two or three paragraphs describing those set of issues and we called them an "observation," and then we would have the recommendations, one or two or three or four or five recommendations, that would address those issues in the observation.
So, Margaret's going to take us through the two that are our preliminary, initial draft, and what we'd like her to do is take the time to read through both of them because they're not totally independent, and then after she's read through both of the observations and the associated recommendations, then go back and we'll start dealing with them paragraph by paragraph and sentence by sentence.
MS. AMATAYAKUL: Okay. The first observation deals with a fairly broad scope topic and the second observation deals with a fairly more narrow scope.
Observation 1 is entitled "Development and Testing of Baseline Guidelines for Securing Prescription Transactions over E-Prescribing Network."
[Reading] "Many testifiers emphasized to NCVHS how important it is that e-prescribing be adopted in support of patient safety and that transactions currently are conducted in compliance with HIPAA security regulations.
"Today's e-prescribing transactions are conducted using several important security features, including credentialing prescribers and dispensers, trading partner agreements to grant access to the networks, and security
protocols to provide secure transmission.
"The e-prescribing networks have indicated that they provide the added value of reformatting a prescriber's transactions to enable acceptance by the dispenser system. In addition, the e-prescribing networks must reconcile NCPDP codes across different versions of standards where prescribers have used older versions for which there is no backward compatibility.
"The result of e-prescribing has been improvements in patient safety through eliminating the need for the dispenser to transcribe often illegible, handwritten fax or paper prescriptions. In many cases, there are also additional benefits of medication decision support embedded in e-prescribing software.
"E-prescribing processes can support return receipts sent from dispensers to prescribers that also contribute to identification of potential fraud and abuse should a prescriber receive receipts for prescriptions not written.
"Recommended Action 1.1. HHS should work with DEA and State Boards of Pharmacy in establishing baseline guidelines for securing prescription transactions over e-prescribing networks. These guidelines would define the processes to be supported for secure, end-to-end transmission of electronic prescription transactions for
all but Schedule II substances.
"These processes would include, A, credentialing prescribers and dispensers; B, compliance with HIPAA security requirements, including those relative to access controls, authentication, data integrity, audit control and transmission security; C, trading partner agreements to establish security requirements based on risk analysis; D, requirement for adoption of a minimum version of NCPDP SCRIPT that would not require NCPDP code translation and requirement for acknowledgment of receipt return from dispenser to prescriber that identifies drugs prescribed.
"HHS should clarify that these guidelines only apply to e-prescribing network transactions using private leased lines or secure protocols over the Internet. Different guidelines may be needed for other forms of electronic transmission.
"Recommended Action 1.2. HHS should work with DEA to support analysis into the potential risk associated with sending prescriptions for Schedule II controlled substances through an e-prescribing network as established in the baseline guidelines for securing prescription transactions over e-prescribing networks.
"Recommended Action 1.3. HHS should include in its e-prescribing pilot tests the evaluation of the adequacy of the baseline guidelines for securing prescription transactions over e-prescribing networks established through Actions 1.1 and 1.2."
Observation 2 is entitled "Evaluating the Feasibility of Strengthening Authentication Requirements and Providing Non-Repudiation."
"Today's HIPAA security rule requires adoption of unique user identification for access control, as cited, and procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed for person or entity authentication, as cited.
"Within the construct of the risk analysis also required by HIPAA, as cited, covered entities may select the appropriate level of authentication. Current security services used for authentication include personal identification number (PIN), password, telephone call-back procedure, token, biometric identification, or any of these in combination. The combination of two measures is referred to as ‘two-tier authentication'.
"Today's e-prescribing networks assign unique user IDs to prescribers and dispensers and require a password for log-on to the network. These authentication measures are bolstered by use of either private leased lines or security protocols for transmission of prescription transactions across e-prescribing networks.
"Testifying from chain and community drug stores
reported that no prescriptions were accepted through email attachment or other non-secure use of the Internet. However, in the future there may be a reason to use the open Internet to send prescriptions. In this case, non-repudiation services would be critical. There may also be the need to enhance the security of prescriptions for Schedule II controlled substances. Therefore, it is important to begin exploring the feasibility of adopting public key infrastructure or other form of digital signature to strengthen authentication and provide non-repudiation.
"Recommended Action 2.1. HHS should conduct pilot tests to evaluate the feasibility of adopting stronger authentication and non-repudiation measures such as provided for through PKI. These pilot tests should be conducted in the general prescribing community and test the ability to scale adoption of these security services for e-prescribing across prescribers and dispensers in multiple environments.
"Recommended Action 2.2. HHS should conduct pilot tests to evaluate whether methods of authentication stronger than those required by HIPAA – for example, two-tier biometrics – provide sufficient additional risk protection in relation to cost as to require them for use in e-prescribing."
And I just have place holders for others and for privacy.
MR. BLAIR: Maybe we could go back and start beginning with Observation 1 and start going through that, now that everyone has a feeling for what's there as a whole.
MS. AMATAYAKUL: Do you want me to read that again, Jeff?
MR. BLAIR: Yes.
MS. AMATAYAKUL: [Reading] "Observation 1, Development and Testing of Baseline Guidelines for Securing Prescription Transactions over E-Prescribing Networks.
"Many testifiers emphasized to NCVHS how important it is that e-prescribing be adopted in support of patient safety and that transactions currently are conducted in compliance with HIPAA security regulations.
"Today's e-prescribing transactions are conducted using several important security features, including credentialing prescribers and dispensers, trading partner agreements to grant access to the networks, and security protocols to provide secure transmission.
"The e-prescribing networks have indicated that they provide the added value of reformatting a prescriber's transactions to enable acceptance by the dispenser system. In addition, the e-prescribing networks must reconcile
NCPDP codes across different versions of standards where prescribers have used older versions for which there is no backward compatibility."
I have a question about that. In the NPRM we just saw yesterday, it actually indicated – Version 5, I think it was – so I'm not sure that this is any longer needed if all must be at least on 5.
DR. COHN: Say that – okay.
MS. AMATAYAKUL: Well, what we're trying to do here is build a case for the networks to be able to go in and reformat or change codes if the code is an old code. And I'm not sure that's really needed if the NPRM calls for Version 5.
DR. COHN: Well, when until tomorrow when you have Version 6 or Version 7, I presume. I'm not sure if I see any issues with it being up there. Remember also that, I mean, once again, there's a separate process with the NPRM, but the NPRM is only a proposed rule.
MS. AMATAYAKUL: Yes. Okay.
DR. HUFF: Yes, I would agree. I think it's good to leave this in because even though you're requiring it, I think there are nuances of coding and other things that you want to have the ability to fix, because otherwise you're implying that everybody can in a flash, you know, or a big bang sort of event, change from one version to the next.
And so I think this is much better, to keep it in.
MS. AMATAYAKUL: Okay.
MR. REYNOLDS: Margaret, is the word there "backward" or "forward?" Usually when you're using an older version, you have trouble translating it forward versus if you have a new version, you have to do it backwards. Or if you're in the middle, you go either way.
[Laughter.]
MR. REYNOLDS: And that could happen, too, but I'm struggling with "backward."
DR. COHN: Do any of our people here have comments on this one?
DR. FITZMAURICE: Harry, usually the frame of reference is from the new standard, that that's where you're planting your feet, is in the new standard, because that's the one you're working on and the one you can change. You can change the old standard; then it becomes the new standard. So is the new standard backwards compatible, there being nothing to be forward compatible with, so you plant your feet on the new standard.
MR. REYNOLDS: I understand that, but it talks about old versions that go backwards.
MR. BLAIR: Would it be just easy to wind up saying "backward/forward" so either way, the translation takes place, it can be done?
MR. REYNOLDS: Were you going to comment?
MR. BROOK: Yes, Richard Brook from ProxyMed. The word "reconcile" – we really look at translation and mapping versus reconcile, because that's what we're doing. I don't believe it's really reconciling. We're doing those things. Thank you.
DR. COHN: Yes, Marjorie?
MS. GREENBERG: Well, I could start at the beginning here with this observation. This is basically about security, this one and the next one, and except for a description down at the end of that observation about why it increases patient safety, there's nothing else said about patient safety and there's nothing in the recommendations, I don't think, specifically about patient safety except good security would contribute to patient safety.
So we seem to be kind of dealing with two different things here, and particularly that first sentence, I don't know whether it's saying that many testifiers emphasized to NCVHS how important it is that transactions currently are conducted in compliance with HIPAA security regulations or whether it's saying they testified how important it is that e-prescribing be adopted in support of patient safety and they also testified that electronic transactions currently are conducted in
compliance.
So it seems like it's sort of apples and oranges here. We got two different things there.
So this is all about security; I mean, the business about patient safety maybe belongs up above and this, it's all about security. But in any event, there has to be two sentences because it really wasn't clear to me what was being said.
MS. BURKE-BEBEE: Can we make the font bigger?
MS. GREENBERG: That would also be nice. [Laughs.]
DR. COHN: Yes, Margaret, I've been sort of bothered by the first sentence; actually, even a little bit beyond that only because I tend to think of observations as a place where we are making observations as opposed to reporting on testimony.
MS. GREENBERG: Right. If reporting on testimony was above this –
DR. COHN: Yes, and then we're still seemingly the –
MS. GREENBERG: That's why I suggested at least the whole issue of patient safety being moved up.
DR. COHN: Yes, moved up or maybe a little more mom and apple pie sort of allusion to the value of e-prescribing, which may or may not be appropriate in this
observation.
MS. GREENBERG: Appropriate to the letter, I think.
DR. COHN: Yes. I think it is mentioned earlier in the letter.
MS. AMATAYAKUL: So you're saying take this first sentence out; it's not needed?
DR. COHN: Yes – well, or putting it somewhere else. I think we were all sort of saying that we couldn't figure out why patient safety was being invoked necessarily in this observation –
MS. GREENBERG: Right.
DR. COHN: -- I think is what –
MS. GREENBERG: And I really didn't know whether they were saying that people had said it's important that these sort of transactions are conducted in compliance with HIPAA security regulations or whether it was a fact that they are, or you were observing that they were.
And I think it needs to say: "Many testifiers emphasize that electronic transactions," because otherwise it could be that they're talking about the paper transactions – e-prescribing transactions.
MR. BLAIR: I think it's correct that we did receive testimony on that.
DR. COHN: Yes.
MS. AMATAYAKUL: What did you all say?
MR. BLAIR: Oh, we're muttering here. Should I get some coherence to our muttering?
[Laughter.]
MR. BLAIR: We did receive testimony from a number of folks saying that they felt that the e-prescribing transactions should comply with the HIPAA security regulations. So I would think it's appropriate to have that somewhere in this first observation, but I don't have strong feelings about it and so –
MS. AMATAYAKUL: I think the point that we were trying to make here is that today the networks are following what's required by HIPAA and that to require more than what's required by HIPAA, such as two-tier authentication or biometrics or PKI, would be over and above what HIPAA requires.
So the point is trying to be made that they are in fact compliant with HIPAA today and explain how they are and why they're value added, and then go on to say that everybody should comply with these guidelines.
So then, Recommended Action 1.1. is:
[Reading] "HHS should work with DEA and State Boards of Pharmacy in establishing baseline guidelines for securing prescription transactions over e-prescribing networks. These guidelines would define the processes to
be supported for secure, end-to-end transmission of electronic prescription transactions for all but Schedule II substances."
DR. COHN: Could I make a comment there? And I'm not sure if I know how to wordsmith this one, and I know what you're saying – we were saying non-controlled substances and Schedule III, IV and V, though the way you're saying this to the person who is not aware of how all of this is constructed is a little subtle, maybe is the term here. And once again, I look to you to wordsmith exactly how we might want to wordsmith that.
MR. BLAIR: Are you saying we need more detail or –
DR. COHN: Oh, I think it just needs to be saying it clearly, and I think Margaret is at least trying to at least put a place holder up there. I think that we're just sort of saying, I mean, something that we understand, but it would certainly not be necessarily obvious to someone who was not a prescriber, and how all of this plays together.
MS. GREENBERG: The background above explains it better.
DR. COHN: Well, I think it does, but once again I'm not assuming that the people who are reading this are necessarily all experts in the art.
MR. BLAIR: Is there a particular word or phrase in there that leaves you with an ambiguous feeling? Where is the area in there that –
DR. COHN: Well, I think Margaret has already –
MR. BLAIR: Oh, she's got it, okay.
DR. COHN: Margaret, do you want to –
MS. AMATAYAKUL: Let me read this sentence:
"These guidelines would define the processes to be supported for secure end-to-end transmission of electronic prescription transactions for all Schedule III through V controlled substances and non-controlled substances but not for Schedule II controlled substances."
MS. GREENBERG: I would just reverse that. I'd say "for all non-controlled substances and Schedule III through V controlled substances."
DR. COHN: Yes. I think we may even have further suggestions here – please.
MR. BIZZARO: Tom Bizzaro, First DataBank. I wonder if the Committee wants to limit to just those controlled substances in Schedules III to V. And understanding that we do see different scope here where III to V has a certain level of security that you would demand, I'm wondering here, though, in a suggestion, that you don't want to exclude Schedule II because what I would like to see at some point in time is that all prescriptions can be prescribed electronically as long as the security is sufficient to protect against abuse.
So I'd like to broaden this a little bit, and again, I understand that Schedule IIs are probably an area that we could keep separate because they are the most abused products and they do have a smaller impact than the III to V.
DR. COHN: Jeff, I think you wanted to comment?
MR. BLAIR: Yes. Tom, I think that's a good point, and the reason that we yanked Schedule II out was we felt that there might be different criteria required for that and we didn't want to burden the guidelines of everything else based on what was necessary for Schedule II.
However, maybe if we added a separate sentence indicating that separate criteria for Schedule II should also be considered but consider those guidelines separately so that they don't set the bar for everything else. Tom, would that address your concern?
MR. BIZZARO: It does. That makes perfect sense because there are different levels of security that you would expect for Schedule IIs.
DR. COHN: Yes.
MS. AMATAYAKUL: Could I ask for clarification? So what you're suggesting is that the recommendation in
1.2, should that be moved up to here, to 1.1?
MR. BLAIR: I don't remember what 1.2 is.
MS. AMATAYAKUL: 1.2 is "HHS should work with DEA to support analysis into the potential risk associated with sending prescriptions for Schedule II controlled substances through an e-prescribing network as established in the baseline guidelines for securing prescription transactions over e-prescribing networks."
MR. BLAIR: Oh, I forgot that that was there. Tom, does not that address your concern?
MR. BIZZARO: It does, and it may be that it is the positioning of it, Margaret, because I'm like Jeff; I just kind of forgot that was there, because I look at it as saying, okay, they're not going to consider Schedule IIs. And then when we go into the second recommended action, you do.
So it probably was my observation of the first recommendation in isolation.
MS. AMATAYAKUL: Should I say up here maybe, "see also Action 1.2?" Would that help?
DR. COHN: Why don't you put in parentheses some potential sort of wordsmithing? I think to me the question is do we want to say "See also Recommended Action 1.2" or do we want to say – I mean, my own view is that we seek the day where all controlled and non-controlled substances can
be easily transmitted as e-prescribing but realizing that the work for Schedule II is somewhat different. But a change something like that really breaks up the train of thought on 1.1.
MR. BIZZARO: To me, it's just the "but not for Schedule II controlled substances." I think it you're going to talk about III to V, you can talk III to V, and if you remove that and the next recommendation does look at Schedule II –
DR. COHN: Well, that may be a very simple solution. Go ahead.
Other comments, please? Yes, Eleni, we'll get you next.
MR. WHITTEMORE: Yes – good morning. Ken Whittemore from SureScripts. I'm a little concerned about mixing non-controlled with controlled here, and my line of thinking is that I don't believe controlled non-controlled prescriptions is the DEA's role.
So having, say, the HHS should work with DEA and State Boards of Pharmacy could be problematic. And the reason I say that is the DEA has already expressed a strong preference for the PKI and digital signatures. If that were to, by a collaboration like this, become something that was required for non-controlled substances, that would cause us in the industry a lot of problems.
DR. COHN: Okay – so let me just re-describe this, and then maybe we'll ask Eleni for comment and then we'll ask from Maria, but I think what you're suggesting is that we talk very specifically in this action recommendation about Schedule III through V and that maybe we have a different recommendation that addresses non-controlled?
MR. WHITTEMORE: That would be my recommendation, yes.
DR. COHN: Okay. Eleni, are you going to comment on the same thing?
MS. ANAGNOSTIADIS: Basically. I echo Ken's comments because the DEA really has no authority over non-controlled substances and it could muddy the waters. If they haven't come out with a position, we don't know what direction they're going to take.
So my recommendation is perhaps to leave the top with non-controlled substances and then perhaps pull the Schedules III through V into Recommended Action 1.2 below and maybe have a separate sentence for Schedules III through V and then a separate sentence referring to the Schedule II prescriptions.
DR. COHN: Yes, or maybe these are three separate action items.
MS. ANAGNOSTIADIS: It could be, it could be.
DR. COHN: Yes, okay. I want you to stay here for just a minute or two more while we continue the conversation. Maria, did you have a comment on this?
MS. FRIEDMAN: I actually had a couple of comments. If we do what she suggested and pull all the Schedule stuff down, then it should be then "HHS should work with the State Boards of Pharmacy in establishing baseline –"
I'm having re-entry problems this morning, but I'm kind of confused as to what these baseline guidelines are. What are they – model language? Is it a list, "Thou shalt," "Thou shalt not" – is it -- I understand what we're trying to do maybe, but I'm not sure what the guidelines really area.
MS. AMATAYAKUL: I think the intent here was that we heard that for the most part the networks do things like credential prescribers and dispensers and they have to comply with HIPAA and so forth and so on, all of these five things here, but that they may not all do them all, and so we kind of wanted to bring everybody to a baseline of certain activity.
DR. COHN: Okay, and –
MS. FRIEDMAN: I mean, thinking about the process, normally we don't do anything unless it's rule-making, so my question is: Is this model language, you
know? And then it gets into a whole process and morass about who updates it and who's in charge of it and all these other things.
DR. COHN: Okay, let's try to divide this into three – I mean, we're having two conversations here; I'm a little concerned. Lori, are you talking on this issue or a different –
MS. REED-FOURQUET: Yes, just briefly on this issue, and I think we may be coming to that. Lori Fourquet, ASTM.
But the controlled substances – and she just took away the III through V – seems that it should say II through V. Even though we do want to ultimately look at them, I would point out that there's certainly significant abuse, other controlled substances such as Xanax, which is a Schedule IV substance, and so there are other considerations and it should certainly assure security requirements for III through V as well as II.
DR. COHN: Okay, thank you for your comment.
Let me just sort of ask, and try to go through this in some sort of a fashion, and I think there's sort of two sets of questions. One is, what sort of buckets we're talking about, and then the next question is, which is, I think, Maria's question, which is: What in the heck do we mean by "baseline guidelines for securing prescription transactions" and what do we really mean by that, in a way that it's –
MS. FRIEDMAN: And how would it kind of work?
DR. COHN: I guess I would look at Subcommittee members – we've talked before about the three different buckets. Are we comfortable with moving forward with three different buckets? So we're talking about effectively three different recommendations, and Margaret may put them together in subheadings of whatever.
MS. ECKERT: Karen Eckert from Medi-Span. I thought yesterday when we talked about this, what we were recommending was that Schedule IIIs and Vs would be treated with the same level of security as the non-controlled. I mean, that was the recommendation I thought we wanted to take back to DEA – not to have three different levels of security but III through Vs and non-Scheduleds and then Schedule IIs as possibly being something a little more strict. And if you're putting them into three buckets, I think you may be losing some of that.
That was my observation from yesterday, but I think we've lost that point.
MR. BLAIR: Could I –
DR. COHN: Jeff?
MR. BLAIR: -- relate to that? I think we're struggling here, so if I articulate what I think the struggle is, then maybe somebody could come up with a good way for us to resolve it.
It sounds to me like one of the problems we're trying to avoid is a fragmentation where prescribers have to use different methods for different levels of these, you know, Schedule II, III, IV, V, and others that are uncontrolled substances. So we don't want to impose this fragmentation.
On the other hand, we also don't want to impose having everybody adhere to the most strict guidelines of security like Schedule II.
So how do we wind up constructing guidelines or recommendations that will apply appropriate levels of authentication and non-repudiation – well, I don't want to maybe go that far – these guidelines, without imposing things unnecessarily and fragmenting them?
DR. HUFF: This is Stan. Even though our recommendation would be that the Schedule III through V follow the same pattern, since the DEA does control that, I think there has to be the recommendation that there be discussions with the DEA or get approval from the DEA to do that. So I think that's the reason I would favor breaking it out, even though our proposal would be that it follow the same path as non-controlled substances.
DR. COHN: Well said, Stan, and Harry's going to
comment also. But I think that what Jeff said somehow needs to be incorporated in here, and maybe Harry has some wording. But I think we do need to say that issue, about lack of fragmentation, because we're sort of saying that but not directly saying it, and I think that's a very key issue here. Harry?
MR. REYNOLDS: I think we're all in violent agreement.
[Laughter.]
MR. REYNOLDS: Let me try to structure it maybe a little differently.
Our observation is that we heard that there are clear current ways of securing e-prescribing work, the multi-tier and everything that they're doing.
Second, we know that there are three distinct categories of drugs. Buckets – we use buckets, just to use our example.
We talked about making three recommendations. Recommendation 1 would be for non-controlled, Recommendation 2 for III through V and Recommendation 3 for II.
The first one obviously – we would like at leas the first two recommendations, which handle the majority of the drugs and even though the second one is controlled, to have somewhat similar structures in their security, with
Schedule IIs obviously needing maybe a further step, but also recommend that as the DEA looks specifically at Recommendations II and III, incorporate those with 1 because overall implementation usability is really what's going to decide the success or non-success of whether this thing really gets traction in all arenas. That's a thought, and a suggestion.
DR. COHN: Yes. Margaret, do you want to read what you wrote up here or is that –
MS. AMATAYAKUL: Okay. So I've got four.
[Reading] "Recommended Action 1.1. HHS should work with State Boards of Pharmacy in establishing baseline guidelines for securing prescription transactions over e-prescribing networks. These guidelines would define the processes to be supported for secure end-to-end transmission of electronic prescription transactions for all non-controlled substances. These processes would include" – and that's the same stuff.
Action 1.2 would be:
"HHS should seek acceptance from DEA for adopting baseline guidelines for securing prescription actions over e-prescribing networks for Schedule III through V controlled substances."
And Action 1.3:
"HHS should work with DEA and State Boards of
Pharmacy relative to supporting analysis into the potential risk associated with sending prescriptions for Schedule II controlled substances through an e-prescribing network as established in the baseline guidelines."
MR. BLAIR: Could I add one piece to that?
MS. AMATAYAKUL: Yes.
MR. BLAIR: I think you solved one part of our dilemma by breaking them into three, and that's probably fine. Maybe we need to add one other statement to create the balance, and the additional statement is that as HHS works with DEA and the State Boards of Pharmacy to accomplish Recommendations 1.1, 1.2 and 1.3, they should attempt to come up with guidelines that will minimize or avoid an impact on the users, the prescribers, so that they don't have to use completely different processes for each of these.
MS. FRIEDMAN: I'm still having problems trying to conceptualize all this. Are we trying to look, in the end, at having an end product or an end result, something what NIST put out, kind of like a document with guidelines that lay this all – I'm just having trouble getting my head around it.
MR. BLAIR: Well, I don't think we have the solution at this point. We're really asking --
DR. COHN: Yes – let's be sure we have the right
buckets, and then let's figure out – what I'm trying to do is to divide this issue because I think we need to get back and look a little harder at the key piece here, what it is that we're talking about. But, Harry, does this sort of go along with what you're saying?
MR. REYNOLDS: Yes, I think it does. I think after we make the first recommendation, we need to maybe reference it in 1.2, whether or not those could be considered in a similar way as whatever comes up in Recommendation 1.1.
MS. AMATAYAKUL: Could you say that again? I'm sorry.
MR. REYNOLDS: We have had our discussions that basically we feel that non-controlled and III through V could be handled in a similar way and are in fact being handled similarly now, is that correct? So that's what I think we've heard.
So 1.1, I'm fine with. 1.2 says you should seek acceptance from DEA for adopting baseline guidelines possibly based on the same premise in Recommendation 1.1.
DR. COHN: Yes. Eleni?
MS. ANAGNOSTIADIS: Eleni from NABP. Just one point that I want to make under Recommendation 1.1, where we talk about the State Boards of Pharmacy establishing the baseline guidelines.
I think that whether it's inferred, we need to state that the State Boards will work with the DEA because I think if the DEA works in a vacuum and the State Boards are working in a vacuum on this, there's not going to be the communication for the DEA to understand maybe what the thought processes are, and how do we want to mesh at least having involvement from the DEA as the State Boards develop those baseline guidelines.
DR. COHN: Okay. Is that 1.1 or 1.2?
MS. ANAGNOSTIADIS: Well, 1.1 said "HHS should work with the State Boards," so it looks as if the State Boards are going to establish the baseline guidelines. And would the DEA be more willing to accept those guidelines for Schedules III through V if they're involved in the process?
MS. AMATAYAKUL: Maybe that should be a separate recommendation, and that's the bucket.
DR. COHN: Maybe Steve has a –
MR. STEINDEL: I don't know if I'm going to clarify things or muddy the water, but I'm starting to have the same problem that Maria's having of –
MS. FRIEDMAN: What are we doing?
MR. STEINDEL: Yes, what are we putting together in 1.1? 1.1 is partially the key of how this is going to come together. And the thing is, I think we're being very
prescriptive about what's happening here. "HHS should work with the State Boards of Pharmacy in establishing baseline guidelines for securing prescription transaction over e-prescribing networks."
You know, I don't know what form this is going to take. I don't know what it's going to be used for, or how it's going to be instantiated. And probably we should say something like "HHS should initiate a process that works with industry, the State Boards of Pharmacy, the DEA to develop baseline guidelines to secure –" so it's a little bit more ambiguous and the process itself can define the end product.
And one thing that it says here is when we're working with the State Boards of Pharmacy, I have this picture, if we read it very strictly, HHS now has to work with all of the State Boards of Pharmacy individually, whereas if we say it's initiating a process, then we can probably like work with your organization to develop it, and we have a little bit more flexibility.
MS. FRIEDMAN: Sounds like we're established a commission.
MR. STEINDEL: Basically, yes. I mean, that's basically what we're – because we haven't heard from the industry what these are, so somehow they have to be put down. We've heard that there's a set that does exist but
it's not exactly the same in each one of them. This may occur very quickly, but I think we need to describe more of a process than an actual thing.
MS. FRIEDMAN: I agree with Steve. You're getting me. You're addressing a lot of my issues. But I still have –
MR. STEINDEL: You mean I got closer? Good. [Laughs.]
MS. FRIEDMAN: We're closer, but I'm not there yet.
DR. COHN: Okay, well – Marjorie?
MS. GREENBERG: Yes, I guess Maria definitely got us into the forest rather than the trees here and now I'm finding myself a bit confused as well. I don't have the actual letter, so it's hard for me to remember what was – but I think the title of this whole thing is "e-Signature," am I correct? Electronic signature.
SEVERAL PARTICIPANTS: Observation.
MS. GREENBERG: Okay, so --
MR. BLAIR: This Observation 1 is the establishment of the base guidelines.
MS. GREENBERG: Well, but the big heading is "Electronic Signature Observations and Recommended Actions."
MR. BLAIR: Yes.
MS. GREENBERG: So we know that electronic signature was supposed to be one of the standards under HIPAA that got deferred, and so I don't know how much of this is actually recommending a process to get to an NPRM and a regulation on electronic signature or whether – I mean, because this is called an electronic signature observation – or whether in fact this is something in lieu of ever doing the regulation on electronic signature, how this differs from the security rule. So I guess I'm back to basics here, too, and Maria's answer is shaking her head up and down –
MS. FRIEDMAN: Yes.
MS. GREENBERG: -- yes.
MR. BLAIR: I don't know that anybody knows the answer to that question yet. I mean, we do need some guidelines here. Whether those guidelines will be to the point where you'd want to an NPRM, I don't know, but I think the industry needs some type of guidelines and I think Steve's words of beginning the process maybe starts to get us down that path so we have some progress.
MS. GREENBERG: Well, then we need to be, I think, explicit about that. This may lead to rule-making –
MR. BLAIR: Okay.
MS. GREENBERG: -- on electronic signature or it might be – I don't know. I mean, I'm not getting any clarity as to what our recommendations are on electronic signature from this.
DR. COHN: Phil, maybe you can help us out of this morass.
MR. ROTHERMICH: Phil Rothermich with Express-Scripts. I guess I'm with Maria; I'm sort of scratching my head on what the difference between a proposed baseline guideline is compared to a proposed standard. And if the problem is that there isn't enough industry consensus on what the floor should be, then maybe the recommendation to HHS is pick a floor and propose it as a rule and pilot it and test whether it adequately secures the system.
My concern about using a term like "baseline guideline," particularly in the context of working with the states, is it suggests that then everyone will tinker with it and we'd have a whole bunch of different ways of doing things as opposed to pick a floor, get everybody to agree to it, and call it standard.
And I don't know how we get from here to there, but it's just an observation.
MR. BLAIR: The perception that I have is that we're nowhere close to the point where the industry or DEA or HHS could pull together a consensus on what a standard should be for these areas and that what we're trying to do is saying how do we make a forward step to try to move
everyone towards consensus?
And so we thought the lowest level we could start with is baseline guidelines and that as there's more experience in the industry, probably through the pilot tests, maybe over time we might someday get to a point where we could all agree to standards on this but we're not close to a consensus on what those standards should be.
So, anyway, that's – I hear Steve reacting, so he may have an opinion.
MR. STEINDEL: Yes, I have a general reaction, specific one, to several of the comments that were just made.
HHS went though the same process and the same thought process with regard to the security rule, and they decided that they can't do this, and they just put in the security rule: This is up to your individual requirements. Do a risk assessment and figure out what you need to do within your own environment to secure the health care information.
And we're trying to be prescriptive in an area where HHS has already made the statement that they're not going to be prescriptive, and I'm wondering if we should just back off from all this and just say that, that this should be handled the same way as it's being handled in the security rule and that the e-prescribing networks should do
a risk assessment and define the way they are going to secure their information and HHS, in evaluating it like they do with the security rule, you know, when something comes up, they will beg the judgment as to whether it's correct or and they could issue FAQs like they do with the security rule about what they consider to be appropriate.
And then, as a separate recommendation, then there needs to be something established with the DEA because they're going to do something specific, but that's in controlled substances.
And I really have a little bit of a problem where we're talking about three bins. There's two bins. There's non-controlled substances and there's controlled substances. And then there's two cases in controlled substances.
DR. COHN: Well, okay, so there are two big bins with one bin having two compartments.
MR. STEINDEL: One with two compartments. And no, no, the important thing there is, Simon, what I would like to push for is I would like to push for controlled substances to be treated the same way as non-controlled substances and not differentiate out the control, too, that this system be secure enough and make DEA happy enough that e-prescribing is e-prescribing and it's irrelevant what type of substance it is.
But I don't think that's going to happen; I agree. Someone in the back just made that comment. But I think we should go in with the open position that we're looking for all the same and bargain for putting Schedule IIs as separate.
DR. HUFF: So – Simon?
DR. COHN: Yes, Stan.
DR. HUFF: Can I make a comment?
DR. COHN: Oh, please. Please.
DR. HUFF: Was that a yes?
DR. COHN: That was a yes.
[Laughter.]
DR. HUFF: Sorry, they cut off your response.
You know, I think Steve's headed in a good direction, but it seems to me that while we for sure don't want to specify particular technologies, it would be good to give some guidance further, more guidance than just saying "do what you think is right."
So, I mean, I think what we would like to do is be able to say something like "individuals should be credentialed" and without getting into the micro-steps of how credentialing might work, there would be something that said it, you know, that there should be credentialing and that the transactions should go over a secure network and say that two things that are in use now are VPN and something else but you can use something else if it's as good or better than that.
And I'd go through each of the areas and make some recommendations about what we think the functional, if you will, the requirements are and technically how you meet those requirements.
I agree we don't want to specify that because there will probably be better solutions soon and we don't want to prevent people from using better solutions that are accomplishing the same goal, but I don't think it helps to just sort of be silent or just say "do what you think is right."
The second thing, it seems to me, is that it's important to say what we want this to be. If we actually want it to be a standard, then I would propose that you move it out to one of the standards bodies and let them produce a standard.
I guess in my own mind I'm thinking that really this should be directed at creating a rule or regulation so that it would be a suggestion for the creation of an NPRM around electronic signatures and e-prescribing.
DR. COHN: Maybe I'll make a comment and then I know Michael wants to make a comment.
I guess I'm sitting here as you're talking, looking at Action 1.1, and of course, I mean, we're still
sort of obviously all struggling with what this thing is. But of course, one would observe that the things at least in this draft recommendation are really all things that are already talked about in the security rule.
SEVERAL PARTICIPANTS: Right.
DR. COHN: And so now the way it's written here, somehow it almost looks like – well, some of it security and some of it is things beyond that, but I think most of these things are things that are inherent in the security rule. And so these become sort of examples of things being consistent with the security rule and a risk analysis. And, of course, these are sort of good practices, which I think is what I'm hearing here.
Now, I guess, given, I think, as Steve has commented, that the industry has not been particularly successful yet in coming up with a standard on this thing, I don't know what the value of sending this off to a standards development organization is.
I'm going to let Mike make a comment. I guess I do think that we're all sort of in violent agreement that at the end of the day, what we're trying to do is to get to a set of recommendations that say, number one, current approaches appear to be satisfactory in terms of security; we'd like to see III through V; we realize that the controlled substances are separate – we'd like to see, I
think, at the end of the day, all controlled substances handled in a uniform fashion with non-controlled substances -- however, we do realize that Schedule II drugs are really a very different thing, require more analysis, and may really require a different approach or special handling, but we'd like to see III through Vs handled in the same way.
And I think somehow, in all this verbiage, I think we need to not lose sight of where we're trying to go. And actually, I should ask the Subcommittee: Am I saying what you all think at this point?
MR. BLAIR: Could I comment on what –
DR. COHN: Well, you do, and then maybe Michael. I'm just looking at the Subcommittee – Stan, are you fundamentally in agreement with what I was saying?
DR. HUFF: I am, yes.
DR. COHN: Okay, I just wanted to make sure that we were. I mean, if we're not even in agreement generally, we're in big trouble at this point, this conversation. Jeff?
MR. BLAIR: Let me paraphrase, see if I am in convergence. Number one, I think we are driving towards the best we could have in place to help with the pilot tests and after the pilot tests, and I think that it's unrealistic to expect that we're going to be able to come up with a standard in this area that the industry will come to consensus on in that time frame.
So the idea of setting a direction here for folks to work together to come up with at least some kind of basic principles or guidelines during this next year that could be applied in the pilot tests, I think that that's what we're trying to do. And is that what you were trying to say?
DR. COHN: No. I actually don't think that this is a pilot test issue that we're talking about. I think that there's a lot of e-prescribing that is occurring now; there will be a lot of e-prescribing in 2006 that occurs without pilots. And I think what we were hearing, and I think what I'm responding to, is concern that with all of the e-prescribing pilots, with all e-prescribing, period, security is obviously in place and we need to start working on the DEA issues is what I'm trying to say.
Jeff, is that in divergence from you?
MR. BLAIR: Just to go down that path, that's okay.
DR. COHN: Yes. And that's all I'm trying to say here. So, Jeff, are you concerned? Ask Michael to comment? I can ask Michael to comment.
MR. BLAIR: The point is, I think, everybody else seems to feel like that's the most practical path, so go
ahead – go forward.
DR. COHN: Yes. Michael, do you have a comment?
DR. FITZMAURICE: No, you've just said it, essentially: Let's look to the security rule and things that are reasonable and addressable and let DEA do what's required. The accreditation of professionals seems to be something that DEA would address in what they do.
And as I talk to the current network providers around the room, they seem to have it well in hand. They don't report any tap-ins and any egregious violations. So what they have is working. So I would give them room to work and to come up with any additional things beyond the security rule that they would want to do, and there's time for that.
I agree with everything you said, Simon, and I support what Steve said. I like Stan's addition of the accreditation.
DR. COHN: Maria?
MS. FRIEDMAN: If we were looking for the floor, I think the security rule is probably it.
SEVERAL PARTICIPANTS: Yes.
DR. COHN: Margaret?
MS. AMATAYAKUL: Could I ask a question? I'm hearing two separate things.
I'm hearing that we've got three buckets, however
that should be arranged, and we'd like to bring them all together. I'm comfortable with trying to work on that aspect of it.
What I'm hearing, though, separately is, what is this – is it a standard, is it a rule, is it guidelines, is it no statement at all, just go forward with HIPAA? And that's not clear to me, what direction you all are taking. If you could sort of put of rest the three buckets because I think I'm hearing agreement on that. I'm not hearing agreement on rule, standard, guidelines, et cetera.
MS. FRIEDMAN: I think you have it backwards. I think we need to figure out kind of where we're going, because then the buckets will sort themselves naturally there.
MR. BLAIR: I'm confused!
DR. COHN: Okay. Well, I'm going to look at Eleni a little bit on this one just to see how far off we are.
Let me just make a proposed – once again, a straw man/straw person comment here. I mean, number one is I think we're saying that the security rule is a very good rule; it obviously includes a lot of risk analysis that every organization who's a covered entity needs to be involved in, and it's working. And we certainly think that that covers non-controlled substances.
We believe that there's an area of – maybe not the term "ambiguity," but there's an area that relates to controlled substances where there needs to be conversations between HHS, State Boards of Pharmacy and DEA to resolve how to best handle the issues of e-signature and other security issues relating to controlled substances. We urge that the outcome of the discussions relating to Schedule III through V be consistent with policies and processes in place for non-controlled substances and we recognize that Schedule II will require further investigation.
And I'm going to sort of stop there.
MR. BLAIR: Can I add just one piece to that?
DR. COHN: Sure.
MR. BLAIR: And that is, you're saying this in the context right now of the e-prescribing networks and what we need that will work within the e-prescribing networks now.
DR. COHN: Right. This is Recommendation 1, as opposed –
MR. BLAIR: Right.
DR. COHN: -- to further work –
MR. BLAIR: Exactly.
DR. COHN: -- to deal with PKI and sort of continues the idea that Schedule II needs further research and evaluation.
But I think what I'm trying to say is just sort of the obvious, because I think in all these guidelines and all that we sort of have gotten ourselves confused. Margaret?
MS. AMATAYAKUL: So that really the first Recommended Action relative to let's just leave HIPAA for the non-controlled substances is not really a recommendation directed to HHS but already is in place. So what I'm stumbling is we usually have been putting HHS to do something.
DR. COHN: That's a good question. Maybe it's an observation. But once again I would ask the Subcommittee members, because I may be going too far on all of this, but I think we all keep coming back again and again to the need for a good risk assessment following the guidelines from the security rule that seem to have held up pretty well.
And so that's an observation that works. I think maybe this isn't an action but that HHS accept that as appropriate for e-prescribing of non-controlled substances. Jeff?
MR. BLAIR: Yes. I think the importance of what Simon is saying – and let's see if I'm right this time – is HHS needs to get some agreement from DEA and the Boards of Pharmacies across the land that when we're dealing with Schedules III, IV and V that that could be used over e-
prescribing networks today without PKI. And I think there needs to be some agreement with that because that's an area of ambiguity and it needs to be cleared up and we're saying that the baseline guidelines need to be agreed for that, and that that is Observation number one. Is that correct?
Did I go too far? Too deep?
DR. COHN: I don't think we're really into that. I think you're moving into the answer and I think we're trying to talk about the –
MR. BLAIR: Process.
DR. COHN: Yes, and Margaret, I think, is getting close; I don't know if it's all the same recommendations, but I mean we can play with that. But she has sort of HHS should accept that HIPAA provide satisfactory protection for non-controlled substances. And that may not be exactly what we want to say, but that sort of is along the – except for the security rule.
MS. AMATAYAKUL: Yes, I'll embellish –
MR. BLAIR: Yes.
MS. AMATAYAKUL: -- for now. [Laughs.]
DR. COHN: And I guess what I was sort of proposing, that HHS should seek agreement from DEA that III through V should follow the HIPAA – I guess I think there's a piece that I – maybe it's sort of beginning to agree with Steve, the big bucket with two sub-buckets or whatever.
But I think there's one, that HHS should begin to work with DEA and, Eleni, I think my view is that they have to work with State Boards of Pharmacy to get this all to work at the end related to controlled substances. Am I right?
MS. ANAGNOSTIADIS: Right. And I think the point that you might want to make, and I may be muddying the waters and I apologize if I am, is that in the end, I mean, pie in the sky, if we had our way, it would be nice for all prescriptions to follow the same system. The State Boards of Pharmacy are concerned about each and every prescription coming through and to be sure that there's a secure transmission. Most boards agree that an electronic signature is sufficient.
But you may want to say something like ultimately it would be nice for all of them to follow the HIPAA standards and have basically one system in place, with a caveat that the DEA may have further requirements for the controlled substances, Schedule IIs or something.
DR. COHN: Okay. I mean, I will apologize, but I lost you a little bit, but are you referencing primarily Action 1.1 up there –
MS. ANAGNOSTIADIS: Right.
DR. COHN: -- relation to non-controlled substances, or something else?
MS. ANAGNOSTIADIS: And maybe it's just an
overall general observation that it's important for the security of all prescriptions to be transmitted following HIPAA regulations. And then put something in there that – "however, the DEA may feel that there are additional security measures that need to be taken with controlled substances." Or you could even just say "C2s." I mean, you know, we can't speak for them.
I just think the point is that we want to make sure that all the prescriptions coming through are secure.
DR. COHN: Okay.
MS. ANAGNOSTIADIS: And then, the procedures that are in place now may be working. I mean, maybe we should talk to the network vendors and see – you know, they say that they haven't had like any hacking into their systems in the number of prescriptions that they're working on. So maybe that's sufficient -- they're following HIPAA standards. Is the DEA comfortable with what's going on in the marketplace today?
MR. STEINDEL: I mean, this is the approach that I'm looking at as well, and we should put this out as a straw man to DEA: HIPAA seems to be working within the community that is now using it for relatively sensitive transactions. You know, at a minimum, we know it can go down to all prescriptions excluding controlled Schedule II.
And we actually feel it's probably just as good
as what you're going to come up with with Schedule !! as well. And I think we should just take that as the approach to talk with DEA.
DEA has indicated that they're backing off what they've originally proposed, so they've obviously gotten some opposition to that. And during that period of time, we have two years – actually, just a few months because it only started in April – but in preparing for the security rule and et cetera, we have over two years of experience in working with it, and I think we should use that as a bargaining point with DEA.
DR. COHN: Do we have any – oh, Harry, I'm sorry; okay.
MR. REYNOLDS: Yes, I have a bit of disagreement that the HIPAA rule is working in relation to all of this. I think that the current HIPAA rule requires that if one covered entity has information, that when they transmit it some way, they know it's going, and when another gets it, they know. I think what we heard in the testimony was that the dispenser in this case is ultimately responsible for the validity of the prescription, is that correct?
MS. ANAGNOSTIADIS: Correct.
MR. REYNOLDS: The validity. So they own this whole concept. That's different than in HIPAA. If one covered entity sends it to the other covered entity,
there's nobody ultimately in charge. In this process, there is somebody in charge, and I'd like to make sure we at least add that as a level because even though they both are covered entities – you have the prescribers who are a covered entity and you have a dispenser who is a covered entity, right, under the HIPAA rule? That's fine, but you also have that further step where the dispenser is ultimately responsible, and that's one of the reasons that I'm satisfied that what they're doing now is working, because there is some other law or something out there that that dispenser has to validate it, and that's different than HIPAA, because in HIPAA you don't have to do it.
So I guess if we were to add language around that, then I could be comfortable that it's HIPAA, but there's also some other law that's requiring that dispenser – you add those two together and I would be much more comfortable that you have a recommendation that carries a little more – just HIPAA alone I don't think covers it.
MR. STEINDEL: Harry, can I couch this in kind of HIPAA security rule jargon so it might make you happy?
MR. REYNOLDS: I'd be happy if you would.
MR. STEINDEL: Because since the HIPAA security rule requires that there be a risk assessment and then the security systems be put into place to satisfy the risk assessment, it's the dispenser that determines what the risk assessment is because that's the ultimate party that's involved with this.
MR. REYNOLDS: I agree, but – and somebody can help me – is there a law somebody put out that says that the dispenser is responsible for the prescription, validating the prescription?
MS. ANAGNOSTIADIS: Yes, I believe that a lot of the State Boards of Pharmacy have that in their regulations.
MR. REYNOLDS: Is there a Federal law?
MR. STEINDEL: No, there wouldn't be.
MR. ROTHERMICH: It's really two separate issues, because one is the recognition that you believe this is a secure enough chain to carry the prescription, that the HIPAA security rule secures the chain, and whether the State Boards of Pharmacy accept that as valid security so that the prescriber by default can accept it as a valid prescription is a state law question.
So the issue you're raising is really whether the pharmacist is entitled under state law to rely on the security of this system. But to me that's a separate issue than HHS recognizing that's sufficient security for prescribing under the MMA directive to create –
MR. REYNOLDS: I was hoping it had become a Federal – because I was hoping it would add a little more –
DR. COHN: Eleni, maybe you can help me with this one only because I'm just sort of remembering the State Boards of Pharmacy rules and regulations. I don't know the state where at the end of the day the dispenser isn't responsible for assuring the validity of the prescription that he or she receives. Am I in error about that one?
MS. ANAGNOSTIADIS: Yes, I think all the states have some sort of language. I just didn't want to blanketly say, in case, you know –
DR. COHN: Well, I guess maybe we'd ask you. I don't remember a state board that doesn't have that as one of sort of the fundamental precepts.
MR. WHITTEMORE: Ken Whittemore with SureScripts. Having been involving in reviewing basically all the state regulations, I would stake my next paycheck on the fact that all of them ultimately require the pharmacist to be responsible for the authenticity of prescriptions, and if they have any questions, they are to follow up on that.
DR. COHN: Yes, so authenticity – okay.
MR. REYNOLDS: Well, Simon, the reason I was trying to go there was, as you look at, from the DEA standpoint, on III through V, and you start thinking about what signatures, which they do now, the fact that that pharmacist is ultimately responsible I think adds a little more than just HIPAA security. I think it just adds
another degree. They're in charge of the chain. And Steve, I take your clearly, but that's different than what people think of HIPAA.
DR. COHN: Well, I think this may be part of the observation here.
MR. REYNOLDS: And HIPAA security is still not clear to a lot of people, so I think it would help the case. More than be a legal way through, I think it would help the case as far as why we would recommend something.
MS. FRIEDMAN: I agree with Harry, because at the end of the day, as somebody said, the pharmacist is on the hook if things go wrong.
MR. BLAIR: So what are we left with with a recommendation that HHS do?
DR. COHN: Well, it's something that needs a lot of wordsmithing.
[Laughter.]
MS. AMATAYAKUL: So far what I have is "HHS should accept that the initial experience with HIPAA provides satisfactory protection for all prescriptions" – HIPAA security. "However, the DEA may feel that there are additional requirements for Schedule II controlled substances."
And then I have a sentence where I'm not sure where to put: "Dispensers' risk analysis must be satisfied that relative to state regulations they can validate the authenticity of prescriptions.
DR. COHN: Yes, and I think what we're almost saying is that HHS should accept the experience with HIPAA security in conjunction with dispenses' responsibility. We want to reference it higher – provide satisfactory protection for all prescriptions – because I think that's what we're sort of saying.
And I think the other question I would ask is that the next sentence needs wordsmithing but I think what we're saying is not just that the DEA may feel that additional requirements for Schedule II controlled substances; basically, I think what we're saying is that there may be additional requirements. I think the right sentence there opens the door to a conversation around controlled substances, and that's a conversation that needs to occur between HHS and DEA, and NCVHS has a perspective on this, and recommendations.
MR. BLAIR: So, out of this there's nothing that would go forward which leave any form of these guidelines?
DR. COHN: Well, I think that's the question. Marjorie?
MS. GREENBERG: Are you asking if we could just accept that the industry's experience with HIPAA security blah-blah or are you saying HHS could accept that the HIPAA security rule, in conjunction with the dispensers' responsibility to validate and provide satisfactory –
DR. COHN: Marjorie, I think you said it very well – thank you. You're right.
MR. BLAIR: For the non-controlled –
DR. HUFF: Simon?
DR. COHN: Yes, Stan?
DR. HUFF: Logistically, I want to let you know that I'm going to have to leave in about 10 minutes, so I didn't know if you wanted to try to do any scheduling of conference calls or other things or –
I mailed my availability back to Maria on the spreadsheet so you'd have that for consideration, but, anyway, do whatever you want. I just wanted to let you know that I'm going to need to leave in about 10 minutes.
MS. FRIEDMAN: Thank you, Stan. It's Maria. I think I'm going to have to look at everybody's availability and get back by email --
DR. HUFF: Okay.
MS. FRIEDMAN: -- to you because I haven't had a chance to go down and check your availability and I need one other person's.
DR. COHN: Okay. Well, anyway, are we sort of – getting back to this – are we sort of conceptually sort of getting close on this one?
MR. REYNOLDS: Yes. This is Harry, and I think Jeff stated it well. I like the fact that somebody said earlier we were being prescriptive. I think that this uses frameworks that are in place, this uses laws that are in place, this uses structure that's in place. It allows the DEA to weigh in as they see fit. You could start a pilot tomorrow morning with this language and you could continue doing whatever needs to get done to continue this MMA going forward.
And I think it sets the kind of framework that is not overly prescriptive but on the other hand clearly defined, and whether we want to mention anything else about the testimony that we heard above, as Margaret mentioned, maybe it really needs to be moved further up. But I think that way it bases it on – because I think the industry was real clear, that they don't have a single standard on it, when pushed on a couple times, and I think that's enough.
DR. COHN: Okay. Well, let's get back into this stuff because I'm sort of seeing – I don't know what you just did, Margaret, but I think there are actually actions here.
MS. AMATAYAKUL: There may be, but we can add them.
DR. COHN: Okay. Well, I guess from my view, I guess we're all, everybody – Jeff, you're okay, at least until you see it next, until you get it read? Sorry about that.
MR. BLAIR: That's okay.
MR. ROTHERMICH: Can I ask one quick question –
DR. COHN: Sure.
MR. ROTHERMICH: -- just to Steve's point earlier? He was sort of wondering whether HHS might push DEA further to accept this kind of recommendation for C2s as well. And one of the things we heard in the testimony was that if DEA went forward with what they were proposing, the likely result would be that everyone would just keep doing paper for controlled substances, which is not necessarily a good result because I think there is a recognition that this system is more secure than paper.
And I just wondered if the Subcommittee might want to take a position here to push on DEA, based on the testimony, because I think there was a lot more public input on that subject than maybe was there, and I just don't know if you want to go that far.
MR. STEINDEL: I think what Margaret has in there – she's maybe doing a little wordsmithing right now – but the second sentence addresses that. And we're saying in the first sentence we don't think we need it, and in the second sentence, okay, DEA may think that, so we'll explore it.
DR. COHN: I think there needs to be a lot more than what I'm seeing right now and I think Margaret realizes that. And I guess my own view is that there's a couple of steps here. One is obviously our assertion in the first sentence. The next one is the recognition that DEA has significant input for control over controlled substances.
And that HHS needs to sort of explore and probably clarify with the DEA how controlled substances are to be handled, because I think I was hearing a fair amount of confusion both in the industry and also about the State Boards in terms of what exactly the DEA was going to do. And I think the industry would be served by clarification from the DEA on all of this.
And then I think it's our position that – I think I was hearing from the Subcommittee where we believe III through V should be handled in the same way; Schedule IV may be a particular area that needs additional research and evaluation to make that determination on it.
But once again, I'm looking at the Subcommittee and I don't know if I'm going beyond what others think, but I think that's where we were trying to get to with these recommendations.
MR. BLAIR: Can I add one piece to that? And I agreed with your wording –
DR. COHN: Yes, and then I have a question for Eleni.
MR. BLAIR: I agreed with your wording, and I know we struggled a lot to sort of get to that, but I happen to think that it is really, really important because although we're not winding up saying that this is focused on the pilot tests, we don't want to be in a situation where DEA winds up coming up with something that doesn't reflect the thinking that's been expressed in the Subcommittee meetings now for a couple of months and then blindsides us with requirements that were not anticipated.
So I think that that clarification and agreement, that HHS needs to obtain that to make sure that we're not going forward with assumptions that DEA completely disagrees with.
DR. COHN: Okay. Now, my question to Eleni was: In the discussions around controlled substances, do the State Boards need to be part of that conversation, or is it more that they need clarification like everyone else?
MS. ANAGNOSTIADIS: I think it would be helpful if they were part of that process, to have the discussions and conversations.
DR. COHN: Okay.
MS. ANAGNOSTIADIS: I mean, ultimately it's the authority of the DEA to make up those regulations.
MR. REYNOLDS: Is it fair to add here a sentence about the testimony we heard – I'll throw it out, for example – "However, from all segments of the industry we heard that if controlled substances, however they are part, require a significant different security with the implementation of e-prescribing or they may not become part of e-prescribing."
I didn't word that right, but that's kind of the message I think we heard. And what percent that is, whether that's two to three or 15 percent, is really what it turns out to be.
DR. COHN: Yes, Margaret, you actually have something up there that's probably true but I think we were saying something a little different also, which is that I think we were also trying to say that if a different security methodology is used for controlled substances, nobody may use e-RX for controlled substances. So I think we were also trying to say that.
MR. REYNOLDS: I would reference that we definitely established clear testimony from all segments – prescribers, dispensers and all of the associated entities in between.
MR. STEINDEL: And the results of one pilot.
MR. REYNOLDS: Right.
DR. COHN: Now, it's not fair to start
wordsmithing it all. The point is, Margaret, you're working, I know.
I'm just looking at the blue sentence in 1.1, so basically how HHS should – I mean, what we're sort of saying is here not on how controlled substances may require additional protection but how controlled substances should be handled in e-prescribing.
And the rest – I mean, I'm not going to wordsmith beyond that. It was just that it's a different thought there.
Well, I guess we should ask everybody: Are we getting close? Subcommittee members, are we getting closer?
There always is the first draft and we're – you know.
DR. HUFF: Yes, I'm having a hard time seeing what you're typing but –
[Laughter.]
MR. BLAIR: Join the crowd.
[Laughter.]
MS. AMATAYAKUL: Could I read it one last time?
DR. COHN: Well, you should, but I feel like we're sort of getting exhausted here on this one. You may want to –
MR. REYNOLDS: Margaret, if I were you, I would
ask for volunteers to take your place. And you are going
to see a lot of hands!
MS. AMATAYAKUL: Our Recommended Action 1.1:
[Reading] "HHS should accept that the HIPAA security rule, in conjunction with the dispensers' responsibility to validate authenticity of prescriptions, provides satisfactory protection for all prescriptions. However, HHS should clarify and reach agreement with the DEA and State Boards of Pharmacy on how controlled substances should be handled within e-prescribing."
DR. COHN: Yes. And let me just make a comment here. What you should say is: "However, NCVHS recognizes the DEA has the major role and provides oversight on matters related to controlled substances."
MR. BLAIR: Now, on that first sentence, that first sentence I think is a fair statement of our recommendation related to prescriptions over e-prescribing networks. We're not going beyond the e-prescribing networks when we make that statement. So I think you need to make sure that phrase is in there to bound it.
MS. AMATAYAKUL: Got it. And then: [reading] "If controlled substances require a significantly different level of security, no one may use e-prescribing for controlled substances, and therefore the benefits of e-prescribing may not be able to be achieved."
DR. COHN: Yes, and whether that's there or on an observation, it's obviously something that's obvious to you.
Now, I guess we still have most of the other recommendations to impact, and I'm thinking of 1.2, which is "HHS should work with DEA to support analysis in the potential risk associated with sending prescriptions for Schedule III controlled substances through an e-prescribing network," period. Didn't want that?
MS. AMATAYAKUL: I thought it was –
DR. COHN: I don't see it. Oh, I see.
MS. AMATAYAKUL: I didn't think any of those others were needed.
MR. REYNOLDS: I mean, I would agree. I'm not sure we need the rest.
DR. COHN: Well, okay, I guess I'm missing something then, because I think that we were urging that Schedule III through V –
MS. GREENBERG: Yes, we lost that.
DR. COHN: -- should be handled in the same fashion as non-controlled substances. Are we not going to make that recommendation? Isn't that we're asking HHS to work with them on this? I thought that we were still going forward with that. Maybe I'm missing –
MR. STEINDEL: Simon, I'm reading it again, and I
agree with you; we should put somewhere in there that while we look at III through V a little bit differently than II and we feel III through V definitely should be handled the same way as all others, as non-controlled substances –
DR. COHN: Yes.
MR. STEINDEL: -- and that should be HHS's position.
DR. COHN: Yes, and then –
MR. STEINDEL: And we can wordsmith that in, but I agree, it's not explicit enough there.
DR. COHN: Yes, and then we're sort of saying this whole issue about additional analysis is scheduled here.
MR. STEINDEL: Yes.
MR. WHITTEMORE: Ken Whittemore again. I think you could do that just by, in the first sentence where it says "the satisfactory protection for all prescriptions, including Schedule III through V controlled substances, over e-prescribing networks."
MR. STEINDEL: I think it's nice and clean this way.
MS. GREENBERG: Does the Committee believe that the security rule in conjunction with the dispenser's responsibility is adequate to provide satisfactory protection for Schedule II also over an e-prescribing
network?
MR. STEINDEL: That's my position, until proven otherwise, and I don't think I've seen anything from DEA that proves otherwise.
MS. GREENBERG: I'm just asking.
MR. REYNOLDS: Especially after we heard the testimony on the current paper process.
[Laughter.]
DR. COHN: Well, I guess I need to ask everybody specifically – I mean, I guess I myself, and I'm speaking one vote here, had always thought of Schedule II as something slightly different, and because of my years of writing prescriptions, the additional steps one has to go through, and indeed that's noted by the State Boards of Pharmacy in many of statements and practices. So I think it's a point that needs to be further investigated.
Marjorie, and then Judy – oh, Judy, and then Marjorie.
MS. WARREN: I was just going to say, didn't we hear, when Florida testified with their Medicaid program, that because they were using e-prescribing, they could find a lot more fraud and abuse with the electronic connected with paper? Well, I would assume that would be the same for a Schedule II drug, which is one that we're doing.
So maybe we should say, Action 1.2, that the
controlled drugs, we should have as the same process as above, because I'd like to keep the controlled drugs as a separate statement from the non-controlled.
MS. GREENBERG: Well, it just seems if you're going to have something in 1.1 about controlled substances, that's the place to say that – somewhere, wherever you said it, somewhere else, that HHS should urge DEA that Schedule III through V be handled the same as all non-controlled substances and that analysis should be done as to why the – or something about why Schedule II needs to be handled differently, because it's kind of fragmented otherwise. You're saying they should work with them, and later you're saying about III through V.
But it might be just to stop 1.1 at over e-prescribing – you know, at networks, then go into the statements about your next one, saying "however, we recognize that DEA has this little – so you need to work with them" and then make the statement about Schedule III through V and something about Schedule II.
DR. COHN: So basically Action 1.2 becomes sub out of that next piece. Or something like that.
MS. GREENBERG: And then make your comment about "if controlled substances require da-dah –" the benefits may not be accrued, and in fact, testimony was used, too, that a lot of people won't use e-prescribing.
DR. COHN: Okay. Lori?
MS. REED-FOURQUET: Yes, I think you need to include in there HHS, the DEA, things that need to be worked through, and risk assessment from DEA's perspective on the controlled substances. I think we've not really not taken a look. At the existing e-prescribing networks, there is very little incentive to break security to get an uncontrolled substance. There is a huge incentive that is available to the general population to the abuse the code substances of multiple schedules – I think Schedule IV presented as one, but there are many others.
And so the risk analysis with those incentives and open networks and access to those people who have incentives has truly not been done in any of the hearings that I've heard here. And I believe that risk assessment needs to be part of this process with HHS and the DEA to determine whether it's a III through V, a IV, maybe V only. We're almost arbitrarily breaking out Schedule II in recognizing that it is the one that needs the most security.
DR. COHN: Lori, thank you.
MR. BROOK: But I just want to make a point that somebody just alluded to a moment ago – this is Richard Brook from ProxyMed – surrounding the security in the audit trail.
I think, as I mentioned before, ProxyMed does transmit IIIs, IVs and Vs; however, it's the pharmacist's responsibility, again, to call back to verify or confirm that. However, again, we have not had any issues whatsoever over the last eight or nine years with doing this where somebody did break in, looking for, or actually intercepting, the message.
So I think if we're going to move forward and talk about that, things that have been – the authentication, the audit trail, all of those things that when we remove paper from this, there is much more security in potentially doing III and IV.
DR. COHN: So let's see if we can sort of take all that and look at this things. And I think, first of all, we are trying to limit these conversations and recommendations to e-prescribing networks, and I think we've indicated, I believe, that we think there's probably more stringent measures – and I don't know if they got lost here, but more stringent measures are probably necessary if someone gets into a more open network for e-prescribing. And I think we've said that, correct? I'm just not sure whether that got lost in all of this or –
MR. BLAIR: Well, actually, Observation 2 starts to address that process.
DR. COHN: Does it? Okay.
MR. BLAIR: Yes.
MR. REYNOLDS: Simon?
DR. COHN: Well, I just think we need to make sure that that gets handled in the appropriate places in all of that. Now – I've lost my train of thought. Harry?
MR. REYNOLDS: You know, if you were sitting on the other side of the table, if you were DEA, obviously when we talk about what the current process is where the dispenser could send back a response to the prescriber, when you get to Schedule II, maybe you require something like that.
I mean, there's ways to take the current process, require pieces of it that you could upscale so that basically any time there's a Schedule II – so you're leaving the framework. You may require pieces of it differently back to the prescriber or others. Right now, if there's a wet signature, a person may fill a Schedule II, but electronic, if a Schedule II came across and a message was sent back to them, then you're absolutely at a higher level now than you have now with paper, even than you have now with anything, because – so those are the things that I think, the structure that we painted in our observations up front, those are ways – and I would hope that the DEA and HHS would look at it and maybe for any controlled substance, require some things like that.
So those are thoughts. So I think our structure allows a ratcheting down without changing the whole industry and what we had up there. That's just an example.
DR. COHN: Okay. I don't know what to do with that, but –
MR. REYNOLDS: No, I'm trying to cross-check as to whether there are ways – we talked about a process because the things that right now might be optional could be made mandatory.
DR. COHN: Okay. Now, Margaret, help us with this. How much more do we want to work on this version with you taking it back and wordsmithing? I think what we're –
MS. AMATAYAKUL: I'm more comfortable now than I was when I asked that earlier question --
DR. COHN: Okay.
MS. AMATAYAKUL: -- so I think we could probably go forward.
DR. COHN: Okay.
MS. ECKERT: Can I ask one quick question?
DR. COHN: Sure, please.
MS. ECKERT: Karen Eckert from Medi-Span.
In Recommended Action 1.1, when we used the word "prescription" in the second line and "all prescriptions" in the third line, are we saying controlled and non-
controlled? Because you break out the controlled later, so I think by doing that, it gets confusing in 1.1 if you're referring to both or because you didn't specifically say almost parenthetically controlled and non-controlled afterwards. People may think we're trying to do two different things.
I thought that's what we were saying at one point, and then when we started adding the other recommendations, I kind of lost that point.
DR. COHN: Okay. So let's take a read of 1.2 and 1.3 just to see how close we are.
MS. AMATAYAKUL: Shall I read 1.2?
DR. COHN: Please.
MS. AMATAYAKUL: [Reading} "NCVHS recognizes that the DEA has a major role in oversight on controlled substances. HHS should clarify and reach agreement with the DEA and State Boards of Pharmacy on how controlled substances should be handled within e-prescribing. HHS should urge DEA to conduct a risk analysis to support that Schedule III through V is handled the same as all non-controlled substances.
The controlled substances require a significantly different level of security. No one may use e-prescribing for controlled substances, and therefore the benefits of e-prescribing may not be able to be achieved."
DR. COHN: Okay. I guess the one question I'd have, I think one of our people who commented sort of talked about the risk analysis for level III to V. I don't know how you do a risk analysis where it looks like you already know the answer. Well, it says, "risk analysis to support that Schedule III may be handled the same as all non-controlled substances."
MS. ANAGNOSTIADIS: How about something like "to determine whether or not controlled substances can be handled the same way as non-controlled substances?"
DR. COHN: Okay, maybe that's – "to determine" –
MR. BLAIR: And I think the thing that would help in that sentence is that this is a risk analysis within the context of an e-prescribing network.
DR. COHN: Okay. Well, now, I guess I just want to bring up the question – I mean, are we – we have moved now from the same III to V and now we're talking about risk analysis be conducted. What is the feeling of the Subcommittee? I mean, because this is a change in recommendation. Maria, did you have a comment on that?
MS. FRIEDMAN: I do. I'm not sure. I mean, DEA may have conducted this risk analysis, for all we know, and we'll find out when they write things out; it would be in an impact analysis. We just don't know.
DR. COHN: Marjorie, please.
MS. GREENBERG: Well, I feel like I'm now in a sense contradicting what I said earlier because, in fact, HHS cannot unilaterally accept that the HIPAA security rule is fine for all transactions because, in fact, as we say in 1.2, HHS doesn't have control over controlled –
DR. COHN: We said back in 1.1.
MS. GREENBERG: No, but I think you could say "HHS should take the position that –"
DR. COHN: Thank you. That's very good, thank you.
Okay, now let me get back to that question, though. Is our recommendation that HHS as the next step regarding III through V, is it our position that they need to conduct a risk assessment to evaluate whether Schedule III could be handled in the same way? Or we had been making the stronger assertion before this. This basically becomes an action to study now.
I guess I would ask the Subcommittee whether that's their current position or whether our position is that it should be handled the same way. Lynne, were you going to comment on this or were you – okay. So let me just ask: Where are we on that particular recommendation?
MR. BLAIR: I think we're okay.
DR. COHN: Okay, so you want to do the risk analysis?
MR. BLAIR: Yes.
DR. COHN: Okay, and then we're going to have them do a separate risk analysis about Schedule II?
MS. WARREN: The risk analysis tells whether the Schedule III through V can be handled?
DR. COHN: Okay, I guess I would ask, then: Why are we at that point if we're asking them just to do a risk analysis? Why are we only doing a III through V as opposed to II through V?
MS. WARREN: Right. It should be all of them.
MS. AMATAYAKUL: But if you do that, then your position is that you want to open it to all controlled substances as opposed to urging them the III through V.
MR. STEINDEL: I think we just want to word it so that even though the scope of the risk analysis covers them all that the risk for Schedule II – they need to be three separate risks analysis and see if – I just don't want a situation where you wind up saying Schedule II becomes the bar for everything else.
DR. COHN: Okay. Let me just make a comment here, and I certainly am only one vote on the Committee, but I am concerned that we appear to take, at least in perspective, a giant step backwards in this recommendation and I'm not myself willing to support – and it's my vote that we move from stating that III through Vs are okay
versus III through Vs need a risk analysis.
MR. STEINDEL: I agree with you, Simon.
DR. COHN: I think we just take a poll of the Subcommittee because if I'm off on this one – I mean, I'm one vote, but I am not comfortable with this one personally. So –
Well, before what we were saying is that III through Vs should be handled the same way. What we're saying here is that DEA should conduct – we're urging them to conduct a risk analysis to figure out what their position ought to be. And my view was is that we need to do a risk analysis on II but that I think we had reached a recommendation on III through V, or at least a perspective on what ought to happen.
MR. BLAIR: Oh, I see what you're saying.
MR. REYNOLDS: Where's that wording, Margaret?
MS. AMATAYAKUL: So you could say –
MR. REYNOLDS: No, no, where's the wording Simon described?
DR. COHN: Oh, it's HHS should work with DEA to clarify –
MR. REYNOLDS: No, no, I'm talking where you originally said we took a stand. I just want to see that.
DR. COHN: Yes, Margaret, let's see.
MS. AMATAYAKUL: What I've added in red is what
we formerly had and what we changed it to is in black here. So we originally had "HHS should work with DEA to clarify that III through V should be handled the same as non-controlled substances." What we changed it to is "HHS should work with DEA to determine the risk analysis, whether Schedule III through V can be handled the same
as –"
MR. REYNOLDS: No, I'm in 1.1, because that's what Simon's referencing.
DR. COHN: No, I'm referencing 1.2.
MR. REYNOLDS: You said we took a stand at some point.
DR. COHN: Yes. 1.2 used to be an assertion that we – and let me just see if we've got the –
MS. AMATAYAKUL: Well, the very original 1.2 wasn't quite the same.
MR. REYNOLDS: Let me make it simple. Simon, I agree with you.
DR. COHN: Okay!
MR. REYNOLDS: I totally agree. I thought you meant – I thought we had put in – I was going back to make sure it said it.
MR. BLAIR: So the risk analysis should be on Schedule II only, is that correct?
DR. COHN: Right. And once again, I just wanted
to say – I guess I need to poll –
MS. WARREN: I know where we got wrong is –
MS. WARREN: You made mentioned from ASTM that a risk analysis hadn't been done on the others and that maybe it should be done.
DR. COHN: The microphone?
MS. WARREN: Well, I think where we went wrong is we heard a previous comment that risk analysis had not been done on III to V and maybe that should be done. And so that's where we got to this point.
DR. COHN: Right.
MS. WARREN: But agree back with you. Previously, we had discussed that we already thought that III to V could be handled with e-prescribing with the security that was in place. So I'm supporting what you said, Simon.
DR. COHN: Okay. So, okay, so I guess I'm hearing everybody supporting this.
You know, we're in a position where obviously our role is to take testimony and comments and parts up to this are sort of putting together all of the testimony and reflecting on testimony and statements made. These are actually recommendations that we're making about next steps, so this is obviously a refinement and it becomes our judgment on this. So, Eleni?
MS. ANAGNOSTIADIS: I just have a comment about the first two sentences on Recommended Action 1.2. By reading "NCVHS recognizes that the DEA has a major role in oversight on controlled substances," it seems like there's another entity that has some type of regulatory authority over it –
DR. COHN: State Boards?
MS. ANAGNOSTIADIS: -- so I think it should be that they are the authority over controlled substances, so I would make that a little stronger.
And then the second sentence, and I think I might have misunderstood you when you asked if you felt the State Boards should be involved – if you say HHS should clarify and reach agreement with the DEA, I think you got to remove State Boards of Pharmacy because we have no authority over making regulations for controlled substances.
Now, if they want to consult with us, that's a different story and we would be happy to enter into a dialogue, but when you're talking clarifying and reaching an agreement regarding controlled substances, I think that the State Boards of Pharmacy need to be removed there.
DR. COHN: Okay.
MS. ANAGNOSTIADIS: Or in consultation with – you know.
MS. AMATAYAKUL: So, would it be appropriate to
add in the third sentence, "HHS should work with DEA and in consultation with States Boards" there?
MS. ANAGNOSTIADIS: Again, if you're talking about the clarification based upon the testimony that the DEA provided, I mean, I guess that's where we're getting that statement from. By clarifying, am I correct or is it just our assumption that that's what it needs to be?
But if you're clarifying that III through V should be handled the same way, I would think that it would be based upon the testimony that the DEA gave saying that they would be willing to look at different processes.
Again, we're happy to work with the DEA, but we can't make – you know, we're not the final authority; we can't say, yes, this can be done, or no, this cannot be done.
DR. COHN: Okay. I guess my only question, obviously why I've had you come up and sit with us, is that I know the State Boards play a different – an additional role –
MS. ANAGNOSTIADIS: Right.
DR. COHN: -- in all of this stuff, and once again, it may be my misunderstanding, but I've always sort of thought of the DEA as the floor and then the State Boards might add additional things on top of it. Did I misunderstand your testimony yesterday?
MS. ANAGNOSTIADIS: No, no, no. You're absolutely right. But most likely the State Boards won't go more stringent than what the DEA requires –
DR. COHN: Okay, so maybe that's –
MS. ANAGNOSTIADIS: -- in notification.
DR. COHN: -- less of an issue, then. That was my main –
MS. ANAGNOSTIADIS: Right.
DR. COHN: -- concern there. Okay.
Margaret first, and then you.
MS. AMATAYAKUL: Could we ask Eleni then to look at 1.3 where we have DEA and State Boards and see if that's appropriate also?
MS. ANAGNOSTIADIS: Yes, that's fine, to work with – oh, to support additional analysis of the potential risks. But you talk about earlier to clarify --
MS. AMATAYAKUL: Yes, okay.
MS. ANAGNOSTIADIS: -- whether or not they could be handled, so I don't think that falls under our purview.
DR. COHN: Well, I appreciate that.
MS. HELM: Hi, this is Jill Helm with Allscripts again. I have a bit of a different perspective.
We see that State Boards as well as the DEA have a role in controlled substances, particularly in the transmission of controlled substance prescriptions. I
mean, if you look at, for example, paper processes, the states have a very active role in determining the triplicate requirements and what the controlled substance prescription blanks look like. And many states have addressed the issue of electronic transmission of controlled substances either by deferring to the DEA or looking to put some regulations in place perhaps would be in addition to anything that the DEA puts forth.
So I think it's appropriate to include them in this process so that there's not inconsistency. What I would not want to see is a different requirement for controlled substance Part D prescriptions versus just controlled substance prescriptions for the general population.
DR. COHN: Okay. I'm thinking of how to include this. I think maybe there's a separate sentence here that basically HHS should work with – maybe we'll call them all "the states" because I think I heard from Eleni that sometimes they're in different agencies that are involved with this in addition to State Boards –
MS. ANAGNOSTIADIS: That's true. Some have –
DR. COHN: -- basically to assure to the maximum step possible that there's uniform application of – I don't know. Harry, do you have the last part of the sentence –
MR. REYNOLDS: Yes –
DR. COHN: -- and a question? Oh, let's get to Maria.
MS. FRIEDMAN: Are you talking about to facilitate e-prescribing over secret networks? Are you talking about use of standards where we talk about –
DR. COHN: I'm talking about for controlled substances, application of –
MS. FRIEDMAN: Is it requirements for electronic controlled substances?
DR. COHN: Yes, application of requirement – maybe there's requirements for –
MS. FRIEDMAN: Whose requirements? It's usually the DEA is the floor.
DR. COHN: Yes, it's uniform –
Why don't we stop on this one and we'll figure out the wordsmithing and whether it's – yes, sure won't come to me right now. So to mark that it needs to be wordsmithed.
Lynne, you've been very patient. Why don't I let you –
MS. GILBERTSON: Lynne Gilbertson, NCPDP. It's been interesting because we've now walked through the comment I wanted to make which Jill made it, and also to where we cite working with the Boards or working with whatever to also include working with the industry, because
that's where your knowledge comes of how you apply, and it's one thing to build a regulation or a floor but you want to make sure it has a proof of concept with what the industry can support as well.
And given that there's a lot of hard definition changes, clarifications, modifications that have occurred in the State Boards where the definitions of a lot of these e-prescribing, e-signature, digital certificate, all those kinds of things, I think you need the industry involved to help tie some of those loose ends up in these discussions.
DR. COHN: Thank you.
MS. ANAGNOSTIADIS: Lynne, were you talking about under Recommended Action 1.3 or –
MS. GILBERTSON: 1.2 and 1.3.
MS. ANAGNOSTIADIS: Okay.
DR. COHN: Well – okay. Maybe, and actually that's what I was having trouble with – maybe it's HHS should work with the state and its representatives to insure to the extent possible there's uniform implementation of DEA requirements for e-prescribing of controlled substances.
MS. ANAGNOSTIADIS: And I think that's nice and clean because it defers to the DEA at the top, knowing that they're the authority to make those baseline guidelines.
DR. COHN: Are we okay? Oh, please –
MR. REYNOLDS: MMA preempts state law.
DR. COHN: Yes, for Part D.
MR. REYNOLDS: We just put up there to bring the state law back in – I think.
DR. COHN: Well, no – let's go back and visit – this is almost our transition to the NPRM. If you remember what happens under the concept of federalism, Part Ds are covered by MMA, Part D prescriptions, but not all e-prescribing –
MR. REYNOLDS: I agree.
DR. COHN: -- except to the extent that it interferes with Part D prescribing.
MR. REYNOLDS: Right.
DR. COHN: And so what we're right now doing is we're continually calling for that everything should be the same, and so this is where we're trying to go with on this one, across states. Does that make sense? I mean, that's why people work together to get uniformity.
MR. REYNOLDS: I understand. I'm just –
DR. COHN: Is that okay?
MR. REYNOLDS: -- double-checking.
DR. COHN: Okay. I think that was where we were going. Okay. Do you have a question? And then I want to begin to transition a little bit here.
MS. FRIEDMAN: I have a question, because now
we're asking HHS to kind of help DEA enforce or implement their regulations?
MR. BLAIR: No. At least I hadn't heard anything –
MS. FRIEDMAN: It says HHS should work with DEA to – it's that next sentence – HHS should work with states and industry representatives to assure to the extent possible that there is uniform implementation of DEA requirements for e-prescribing controlled substances. Do we really mean that?
I don't think we ought to let the DEA –
MR. BLAIR: Maybe it's guidance, uniform application, rather than implementation.
MS. FRIEDMAN: I just don't see where HHS has a role --
MR. BLAIR: -- Maybe you meant "consistent."
MS. FRIEDMAN: -- in working with the states to effect implementation of DEA regulations. We have enough trouble with our own.
DR. COHN: Okay, I'm going to suggest, without solving this particular one, we may want to remove that whole sentence, but I will defer to the next version of this one. I think we're wordsmithing to the point where we can't even see the recommendations anymore. Yes, I think we need to let Margaret work on this, and I think things
have gotten a lot simpler, which is good. We actually understand even some of the terms that were a little fuzzy.
Now, do we want to talk about the recommendations in 2 at all, at this point?
MR. BLAIR: Let's get at least initial reactions to it.
DR. COHN: Okay, and then I'd like to spend a couple minutes talking about the NPRM response and all of that. Marjorie?
MS. GREENBERG: Is this letter going to include anything about the other areas that you deferred from your November letter?
DR. COHN: We're going to talk about that for a minute, too. Thank you. But let's talk about the recommendations – I don't know; do we need to read through the entire Observation 2?
MR. BLAIR: I don't need – as long as everybody else could see them, I remember what they are.
MS. AMATAYAKUL: So Recommended Action 2.1 is:
[Reading} "HHS should conduct pilot tests to evaluate the feasibility of adopting stronger authentication and non-repudiation measures such as provided for through PKI. These pilot tests should be conducted in the general prescribing community and test the ability to scale adoption of these security services for e-prescribing across prescribers and dispensers in multiple environments."
MR. BLAIR: Now, understand that the observation indicated that this is to apply to anticipate that there might be the requirement to send prescriptions over the open Internet.
MS. FRIEDMAN: And my question is: By pilots – we talk around the word "pilot" all the time, and to me, since I'm so MMA focused, to my mind, pilots, at least in a very narrow view, refers to what's required under the MMA. And sometimes – and this is an example – we might want to have pilot kind of outside, other pilots going on in other places.
I just want it clarified. Do we want to have this under the MMA pilot for 2006 or are you talking about testing additional functionality and piloting it in some other way?
MR. BLAIR: Well, the thing is, at least I was thinking – and again, this may not be feasible, Maria, because whatever constraints you may have – yet I was envisioning that there was going to be multiple pilots and that probably the great majority of the pilots would be over e-prescribing networks, and this was just indicating that under the coverage of the MMA with the pilot tests beginning in January 1st, 2006, that there be at least one pilot test that would prepare for the possibility of the future where things would be over the open Internet.
So, yes, I was thinking of it within the MMA.
DR. COHN: Though luckily it's ambiguous. Lori, and then Harry.
MS. REED-FOURQUET: I actually want to make a comment on the observation up above and I don't recall exactly where it said it where you described the current process, by use of either the private leased lines – below there, right there – "these authentication measures are bolstered by use of either private leased lines or security protocols," et cetera.
There is an implication there that the other protocols are also being conducted over private networks as opposed to the open Internet, and you've been very clear in other places to distinguish open Internet. If those security protocols you're referring are server side SSL, then that is being conducted over the open Internet and it is simply assuring encryption between the end user and presumably the application service provider, and it is assuring server side authentication, meaning that you're not going to trick the end user application into going to a false location to conduct their business and transactions.
DR. COHN: Well, that's a very good point. Thank you. Harry?
MR. REYNOLDS: Based on what we've said above, I'm not sure that this observation matters anymore. We are basically saying it's under the HIPAA rule, the dispenser's responsible, you got to secure it, you got to validate your security. And I think the point that was just made is some of this stuff, there's business related to HIPAA going all over the Internet right now.
And the point is, it better be secure, and you're on the hook, and you're in trouble if you don't do it.
And so I'm not sure that parsing it out here does anything plus or minus.
MS. FRIEDMAN: Aren't you trying to open the door, though, for the open Web-based applications? That's where I thought you were going with this, Jeff. Am I wrong? And that's where you're making this distinction.
MR. BLAIR: Well, there's a phrase in the observation that when you're looking at the e-prescribing networks, there's a level of security, an authentication where we don't want to impact the business case of the e-prescribing networks, we don't want to – you know, all of the things that were listed that the industry testified to us.
On the other hand, if we don't include some pilot testing of the feasibility of PKI for the future in environments that are not in the e-prescribing networks,
then we're just, I think, leaving ourselves vulnerable for the future, not having tested them, and as we go forward here.
DR. COHN: But Jeff, let me ask an odd, and maybe awkward, question to you, and I will apologize; I'm not a security – my title's not director of security for my organization. But obviously we have been using the term – what?
MS. GREENBERG: I said, thank goodness! You have enough to do!
DR. COHN: I have enough to do – okay. But we obviously in a number of places mentioned over the open Internet that I think that at least what Lori was asserting in her comment just now is that an organization that uses SSL at least technically is doing something over the open Internet.
DR. FERRER: Can.
DR. COHN: Can be over the open Internet.
MS. REED-FOURQUET: It is a "can" and I believe that there are a number of current implementations whereby the physician's interface to their application service provider is being conducted over the open Internet through SSL server side protection only, user name and password. Hand-helds, PDAs that are accessing a service over wireless communications, for instance.
DR. COHN: Okay. Lori, thank you. What I'm just reflecting on is that I think we need to go back and look at the background and everything else. But I think we're still talking about the HIPAA security and the risk analysis and all that, but – Steve? – I'm just bringing up this additional wrinkle.
MR. STEINDEL: I kind of agree with Harry. I've had a problem with this observation in these recommendations since I first saw it and I think we've got it pretty much covered under 1. And I am reluctant to propose a pilot for PKI under any guise, e-prescribing or anything else, at this point in time.
DR. COHN: Margaret, and I guess we need at that point to take a poll of the Subcommittee to see where we want to go with this one. Margaret?
MS. AMATAYAKUL: I would just like to remind everybody that the CMS Internet policy is still in force that does not allow for claims to be transmitted over the open Internet. And so I think that that should just be in your thinking as to whether you want to do this or not.
DR. COHN: Margaret, thank you. Lori?
MS. REED-FOURQUET: Regarding the PKI pilots, we would like to see a convergence between the health informatics standards, the health information system vendors' approaches to security and digital signatures which we are moving forward with to be able to be piloted in conjunction with the electronic prescribing pilots.
DR. COHN: Lori, thank you. You know, we have a couple of options on how to handle Observation 2. Certainly, one position is sort of what's here, and certainly Maria has asked for clarification about whether or not this is a 2006 pilot, so this isn't really HHS but CMS pilot, or whether it's some other kind of pilot.
And then, of course, the observation's been made about whether or not there ought to be any pilots whatsoever or whether the Subcommittee and full Committee ought to be silent on this issue.
Obviously, we've got sort of multiple choices here and so I think we need to decide where we are on all of this. Maria?
MS. FRIEDMAN: The reason I'm asking for clarification is that CMS and the Department take these recommendations very seriously, and so I just want to make sure that we're clear on what it is you're asking to be done and what time frames, because if it's an MMI A-pilot, you know, it's a very short time frame and the technology is very different than it would be if you were going to look to see if this is more a feasibility kind of thing in a broader perspective.
DR. COHN: Okay, Mike, maybe you have a comment.
DR. FITZMAURICE: There's a companion point of view in that this may be the only pilot testing that the government does and so that if there's something important, you may want to put it in here. I'm not saying that PKI is, given some of the difficulties we've heard, but balance those two thoughts, if you would.
DR. COHN: Well, I'm trying to think of how for us to make a decision on this one and I guess the question is, I think the first question is whether or not there needs to be pilots, I think, and then the second question is what is the timing.
And I think we need to sort of figure out from the Subcommittee – this almost feels to me like a research agenda when you say that, because to my knowledge there has not been a breakthrough in technology that has occurred since we started hearing testimony that tells me that there's an entirely new thing to be tested, so I think the view might be that this technology will continue and improve. Biometrics and other methods of authentication will get better.
And so I guess my question would be, you know, it's hard to imagine there's a 2006 answer, Jeff, unless I'm missing the point here. And it may be actually a longer term agenda, which may mean it's really an ARHQ issue, I don't know --I'm looking toward Mike Fitzmaurice
as I'm saying that.
But the question, first of all, of course is whether we want to say anything at all about it.
MS. FRIEDMAN: I think this reaches back to a fundamental issue that we've had and that we've been trying to address, is how to you deal with a continuum of technology and craft something that's workable today but leaves open the door for the rapid development and adoption of technology as we go forward? Because you don't want to lock anybody into anything at the moment in some ways, but on the other hand, you want to leave that door open.
MR. BLAIR: Well, Maria, what would you recommend?
MS. FRIEDMAN: I don't know, because I'm having the same struggle that everybody else has had in trying to craft these with an eye toward the future.
MS. AMATAYAKUL: I'm wondering if the requirement in Observation 1 isn't to comply with HIPAA that requires continual evaluation and risk analysis; as technology and your environment changes, that that would be handled, that PKI would be handled as a result of being required to do a continual evaluation under HIPAA.
MR. REYNOLDS: Which right now includes the viruses and everything else that you have to deal with in your security network.
MS. FRIEDMAN: Again, it's not just PKI; it's the whole biometric issue. I mean, as that technology comes on line and it becomes increasingly more sophisticated – it's coming; it's going to be here soon. It's just not quite here today.
MR. REYNOLDS: Simon, if you think about, you know, we heard, we recommended what ought to happen and we recommended that DEA's is going to have to weigh in on controlled substances, and once the DEA weighs in, and if they put the hammer down on non-repudiation and some other things, then it's much easier for me to recommend pilots of things than right now picking out a pilot on some things and say, "Go try this," because they will be the reason, at least initially.
They will be the reason that this thing gets changed dramatically one way or the other, because I think the security rule, there's people doing a lot of business under that security rule right now that have the same ramifications and everything that this does, and so I'm not sure that picking out a technology or recommending this or that, because they may pick something totally different. They may say, yes, and if we're dealing solely with e-prescribing, we've said we're good with what's going on except we want to hear what the DEA says or whether they ratchet something up, and once they ratchet it up, then we
have to sit down and understand what ratcheting it up means. And then we may discuss whether or not – first, we discuss whether or not controlled substance or other things are in, and if they are, then what would we want recommended a pilot be to allow them to continue in e-prescribing, or does it blow it up, for example, it'll never be?
DR. COHN: I guess I'm sort of struggling here, and once again I'm just sort of looking at the Subcommittee members to sort of see where we are. My perspective on this – maybe I just sort of asked – I mean, Harry, what I'm hearing from you is that you think that we should be silent on Observation 2 and remove it completely.
MR. REYNOLDS: I do.
DR. COHN: I guess my view this is a recommendation that's really more of a long-term research agenda that we're recommending to HHS that they need to be looking at methods of improved authentication as well as non-repudiation such as PKI and biometrics but probably not limited to that not only for e-prescribing but also as we move towards the NHII. And to my view, the case gets a lot more as we begin to bump all those things on. And I think framed in that way, I'm very comfortable with it. But that's not 2006 pilot; that's not exactly where Jeff was. So, Harry's going north, I'm going east, Judy, are you
going south?
[Laughter.]
MR. REYNOLDS: No, Simon, I'm going with you. I have no problem with recommending that because this is a changing environment, because there are other things on our plate with everything else that's come along, that they continue to review it and take e-prescribing and other things into consideration. I don't have a problem with that. Whether or not we pilot it, we recommend a pilot, or a type of pilot, or something else, based on e-prescribing, that's the only place we differ.
DR. COHN: Okay.
MR. REYNOLDS: I agree with the recommendation. I just don't want to lock in a pilot.
DR. COHN: So you'd be more comfortable with the research agenda.
MR. REYNOLDS: Yes – northeast.
DR. COHN: Okay – northeast, okay.
[Laughter.]
DR. COHN: Judy, where are you?
MS. WARREN: I guess I'm uncomfortable with recommending a pilot right now because I'm not sure where it fits in because it's really going to depend on what DEA says on what's going to happen.
Now, whether or not we have Observation 2, at
this point, I don't know. I need to sit down and take a look at what we've written and think about it some before I can really answer that.
DR. COHN: Okay, so what –
MS. WARREN: Going in circles is kind of where I am right now.
DR. COHN: Okay – well, that's okay. Jeff?
MR. BLAIR: Let's give the Subcommittee time to think about this.
DR. COHN: Okay. Well, I guess the question would be – we don't need to make a decision today, but it seems to me that we need to sort of put together maybe another straw man that talks about alternatively some sort of a research agenda as described so that we can look at both and see how we feel for the conference call. Does that make sense?
MR. BLAIR: Yes.
DR. COHN: Okay. Lori – comment?
MS. REED-FOURQUET: Okay. Can it be worded in such a way that should a pilot be proposed in response that doesn't include it that it is not precluded because it is defined as a long-term agenda, as opposed to something that perhaps might begin in 2006?
DR. COHN: I didn't quite understand what you were saying.
MS. REED-FOURQUET: Well, I think you're grappling with do you want to specifically recommend that PKI be piloted as part of the 2006 request –
DR. COHN: Right.
MS. REED-FOURQUET: -- which would mean that you would specifically put out an RFP, I assume, that asks for somebody to specifically proposed it. However, if your RFP is put out in the more general format where somebody does propose that, that it might not be precluded from the 2006 pilots because you've determined it to be a long-term research agenda.
DR. COHN: I see, okay. Well, that makes – I'm not writing the RFP, as you can imagine.
MS. REED-FOURQUET: If that's the recommendation –
DR. COHN: I see.
MS. REED-FOURQUET: -- if you're drafting it.
DR. COHN: Okay. Good point.
Okay, have we exhausted everybody? Steve? We need to move on to some other items here about – it's right now 12:08.
MR. STEINDEL: Yes, I know.
DR. COHN: And we will adjourn, as commented, at 12:30. Now let me move on to a couple of other issues.
Now, obviously, Maria, number one, is going to
schedule probably two or three conference calls -- my bet is it'll be three, over the next two weeks – assuming she can figure it out, and we will do our best to get a majority of members of the Subcommittee. It may not always be the same majority, but she will do the best she can with that.
Now, Marjorie, I think, brought up the issue of what else are we putting in here, and clearly there's an issue, and I'm assuming, Margaret, that you need to place in here language from the Privacy and Confidentiality Subcommittee, and that's number one.
Number two, and I think this is what Marjorie was also asking about very appropriately, is what other recommendations do we need to be making about any of the issues that have sort of come before us?
And if you'll remember, there are three items, four items, that we had identified as we would be giving additional advice to the Secretary on, and they included the formulary –
MS. AMATAYAKUL: And formulary identifier.
DR. COHN: Well, no – maybe we're talking about -- I'm looking at the recommendations; I'm not looking at the next steps.
MS. AMATAYAKUL: This is a list of stuff that I took from the first letter.
DR. COHN: Okay. And what I'm looking for are things that we specifically said we were going to be providing additional advice and guidance and things that we suggested, I think, additional advice and guidance were the RxHub standard that related to formulary as well as the RxHub medication history, both of which were going through the NCPDP process.
And I think we had said that we were going to try to give additional guidance to HHS on those, is that correct? I don't think we've ever said that sig, for example, was something that we were providing additional guidance to decide whether it was going to be a foundational or non-foundational standard.
MS. AMATAYAKUL: This list is only from the next steps.
DR. COHN: Okay – and I'm not referring to the next steps –
MS. AMATAYAKUL: Okay.
DR. COHN: -- at this point. I'm referring to actual recommendations where we said we'd give additional guidance.
I think my memory is that there were only two areas, there may have been another –
MS. GREENBERG: Was there anything about the other type of history?
DR. COHN: About the other kind of what?
MS. GREENBERG: Not just medication history but medical –
DR. COHN: No. Okay, that's not what I'm talking about. I'm talking about within the recommendations, that we had other things. She has that list.
MS. GREENBERG: You have the letter.
DR. COHN: Okay, but what I'm referring to, is, for example, in Recommendation – let's see – "NCVHS will closely monitor the progress of NCPDP's developing standard medication history, for example, for communication, and provided advice to the Secretary in time for adoption as a foundation standard and/or readiness for the 2006 pilot test." It was that type of recommendation I was referencing right at this point.
And I guess what I was at the beginning commenting on that I didn't think we heard enough – I don't think we can tell the Secretary at this point anything more than we already know about either of those standards at this point. Sounds like they're in process –
MR. REYNOLDS: Is it important to mention that we did hear further testimony on their status and especially on those two where it is?
DR. COHN: Well, we could.
MR. REYNOLDS: And if they meet – I don't
remember Lynne's dates exactly – but if some of them meet the schedule, then we may later this year –
DR. COHN: Provide additional guidance.
MR. REYNOLDS: Yes, that's a possibility.
DR. COHN: Yes.
MS. FRIEDMAN: Because the reg leaves open the possibility of adopting some foundation standards and formulary and medication history standards, providing they get through the process, and they can be adopted as foundation standards without further ado.
DR. COHN: Well, let me think what "further ado" means.
[Laughter.}
DR. COHN: Let me think about "further ado."
MS. AMATAYAKUL: It sounded to me like the NPRM was saying that they had set place holders for these two areas and that they wouldn't have to do another NPRM –
DR. COHN: Okay.
MS. AMATAYAKUL: -- just to address these two areas.
DR. COHN: But I think by "further ado" I mean – I guess the reason I was so struggling with further ado – was the industry being surprised in November with additional things without any further discussion, and I guess I was a little concerned about that.
But I guess we need to see what the industry thinks as we move forward. Yes, Mike?
DR. FITZMAURICE: The Committee could say we've heard reports and we believe that progress is coming along very satisfactorily and it could be even speeded up with HHS support.
DR. COHN: Actually, I don't know whether I heard the last part; is that true? Or maybe we didn't hear that. I heard progress is moving forward.
MS. FRIEDMAN: Didn't Lynne say that they may be coming back to ask for additional support from us?
MR. REYNOLDS: For other items, not these two necessarily.
DR. COHN: Yes. I think that's all we can say.
MR. BLAIR: We said "monitor" I think was the word. Yes, we said we'd monitor progress.
DR. COHN: So I guess what we can do is report that we are monitoring the progress and that we will be having additional public sessions this summer, it sounds like, hearing from NCPDP, because I think what I heard was that they were in the midst of balloting but it may need to go to a second ballot, so it's a little unclear.
MS. FRIEDMAN: One was a little farther along than the other.
DR. COHN: Exactly. But I think Margaret should
put together some wording on this one.
MR. REYNOLDS: I think the exciting point is that the industry has taken it up, the standards organizations are going, and there's no reason for us to believe that whether or not it meets – it's the early pilots. Something's going to come out, and we should be able to consider adopting it. That's what I think I heard.
DR. COHN: Yes, that's probably no reason not to include in pilots. I think we could certainly say that, at this point.
MS. FRIEDMAN: Especially in reference to the codified sig.
DR. COHN: Maria was sort of commenting that she thought the codified sig would likely also be able to be in the pilot also, so I think we could probably say that.
I think that rounds out. The standards we're getting before plus those three rounds out a pretty nice package --
DR. COHN: Okay.
MR. REYNOLDS: -- to go forward with the pilot.
MS. FRIEDMAN: Just me clarify this. If the formulary medication history standard gets through the accreditation process, then we can adopt those as foundation standards that do not need to be piloted, but they will be ready for us by Part D.
MR. REYNOLDS: Right That's true.
MS. FRIEDMAN: And that's the big if, and so that only leaves just the structured sig, if that gets the sufficient likeness, if you will, to be piloted.
DR. COHN: What are we saying here? I sort of just missed what you were saying. You were saying that we're going to advise the Secretary that this could be adopted as a foundation standard?
MS. FRIEDMAN: Well, that's what the NPRM says. If the formulary medication history standards get through the process, they can be adopted as a foundation standard. They don't need to be pilot tested.
MR. REYNOLDS: Just like NCPDP SCRIPT.
MR. BLAIR: The NPRM did say that and its rationale for saying that they could do that was because if there wasn't significant modifications from the way the protocols are used today, then there already is industry experience?
MS. FRIEDMAN: Right.
MR. BLAIR: So that was the rationale for –
MS. FRIEDMAN: Right.
MR. BLAIR: -- why they could do that.
DR. COHN: I guess we'll have to look at the wording on that and sort of see where we come up. I'm a little uncomfortable at this point and I'd have to go back
and either review testimony or maybe hear additional testimony after this is completed to make sure the industry at that point feels that it's appropriate as a foundation or a pilot --
MR. REYNOLDS: Exactly.
DR. COHN: -- because only because I think they have significantly different ramifications given that we're talking about putting things in in a required basis for all health plans as well as anybody using e-prescribing starting January 1st, 2006.
MS. FRIEDMAN: That's why I wanted to bring that up and make sure everybody understands that it's in the NPRM that way.
DR. COHN: Okay. Well – okay. But we'll take a look at the wordsmithing and sig could certainly be piloted.
Now, do we want to quickly go through the list here of things or do we – obviously, we didn't get to a lot of them. We obviously have talked about electronic signature; we're going to have issues related to privacy and security which really shift to e-prescribing; we have a directory that would identify prescribers, nursing facilities and pharmacies – I don't think we've done any work on that; codification of allergens, drug interactions and other adverse reactions to drugs – we have not done any
work on that –
MR. BROOK: The directory, there's work done.
DR. COHN: Oh, that was an NCPDP testimony; I'm sorry. Thank you.
Codification of allergens, drug interactions and other adverse reactions to drugs have not been, to my knowledge, worked on. Incorporation of indications for drug therapy into e-prescribing messages. I'm actually just sort of looking through the remainder of these and I'm not –
MS. FRIEDMAN: Units of measure, I believe, is being addressed to a certain extent in a codified sig. I don't know if it's a full-blown – correct me if I'm wrong. Is that correct?
DR. COHN: Okay. So methods for patient identification for e-prescribing, I think that's a to do item, along with privacy and confidentiality, and next more of a general MHII issue. Use of the national health plan ID for e-prescribing, I don't think we've discussed that. Formulary identifier. Exchange of medication history among all participants in the e-prescribing process, I think that's a to do. Exchange of medical history within the e-prescribing process, that's another probably longer term to do. How to be insure the interoperability among e-prescribing standards, that's clearly something we're
working on and I think want to make a comment on.
MS. AMATAYAKUL: In this letter or in your separate letter?
MS. GREENBERG: What separate letter?
DR. COHN: The NPRM letter. Well, we might want to make a comment on both, actually, just updating on the progress relating to HL7 and NCPDP for prescribing and work being done and then we can maybe – this is must more of an update of progress being made, the other one being more of a point of view around all of that.
Standard codes for orderable items, I don't think we've done anything on that.
MS. FRIEDMAN: Is that by itself or in a context of RxNorm? Didn't Stewart say they were addressing some of that in RxNorm now?
DR. COHN: Oh, that's right – okay. At some point.
Exchange of drug labeling and drug listing, I don't think we can make much comment on that. Maybe we want to make a comment about SPLs is working and moving forward, that's fine.
Clinical decision support in e-prescribing, I think we investigated that and I don't know – we could certainly reference the white paper coming out of –
I think other than referencing the white paper
that was developed on clinical support, I don't think we found that there was a lot more to be done in all of that.
So I think the reality is we've handled some things but obviously haven't done everything between September and at this point. I think we need to congratulate ourselves on the work that we've done though there'll be a lot more over the next couple of weeks. Anyway, we'll be asking Margaret to do some additional drafting, then we'll be discussing during conference calls.
Now the other piece that we need to talk about is the Notice of Proposed Rule and responding to it, and I've asked Jeff and Harry to take the lead on that and they'll actually be sort of chairing the discussions on it.
I don't know if either of you have perspectives that you want to share because clearly it'll be part of our conference calls and I think we'll need to figure out whether Margaret or Maria are beginning to right things up. I guess my own hope is that it would be heavily reliant on our previous recommendations, but that's just one man speaking. Harry, do you want to comment, and Jeff, also?
MR. REYNOLDS: Jeff, go ahead first.
DR. COHN: Jeff, you go first.
MR. BLAIR: With respect to the work we do on our commenting on the NPRM?
DR. COHN: Yes.
MR. BLAIR: My only thought is that I think we're going to need a lot of time for the conference calls to be able to work through that and, Maria, if we don't have the times, do we at least have the days when it looks like the –
MS. FRIEDMAN: No, I have to check people's schedules. I'll get out an email this afternoon.
MR. BLAIR: Okay. I would think that we're going to need at least two fairly sizable conference calls to finish off this letter on e-prescribing and, gosh, we may need two sessions on our comments on the regs.
I do think that – Margaret, are you in a position where you would be able to –
MS. FRIEDMAN: I would like to note that the comment period on the reg is through April, though I know we have to get to the full Committee in March. So that's –
MR. BLAIR: Right.
MS. FRIEDMAN: -- why we have to do it now, right?
MR. BLAIR: It means that, yes, we don't have another meeting before then to be able to try to pull this together.
I think we wound up – you know, Steve had a couple of observations, I had a couple, and I went ahead and I mapped our recommendations to the NPRM so some of the divergences were – Simon, I don't know what I could say. Margaret?
MS. AMATAYAKUL: Yes, Jeff?
MR. BLAIR: If you take Steve's observations and I'll send you an email with some of my observations to get started where you'd be able to create a draft that we could review for one of our conference calls?
MS. AMATAYAKUL: Yes, I could do that.
MR. REYNOLDS: Jeff, this is Harry. One thins to maybe add to it is for the first conference that you're having set up, Simon, if anyone else has input, I mean, obviously Jeff has mapped it, Steve made some comments, if any of the rest of the Committee has subjects or areas that they think we should comment on, if they could at least say those at the beginning or sometime in the first conference call and not take up the time from what we're doing with this letter –
MS. FRIEDMAN: Or ship them off to Margaret, email Margaret.
MR. REYNOLDS: Okay, get them to Margaret, then Jeff and I and Margaret could work on that draft –
MR. BLAIR: Yes.
MR. REYNOLDS: -- and then whenever it got in, we will have at least had everybody's upfront areas that they wanted to have some comments about and then we could
obviously share that.
MR. BLAIR: And the other piece is that I don't feel a need to comment on all of the areas where the NPRM did not include recommendations, for example, that we made on pilot tests or working together to encourage coordination among the SDOs. I don't feel – you know, those things wouldn't normally be in the NPRM anyway. So I think the only things we would comment on are things where clarification is needed or there's a level of uncomfort in the NPRM.
MS. FRIEDMAN: Or if there's an area in the preamble where we ask for comment, if there's something major we left out that we didn't address, you think we should do as a public comment on? But again, are the foundation standards, are they the right ones –
DR. COHN: And all the other questions that we know about. Yes.
Obviously, I guess what I would hope is that we're not producing another 10-page tome.
MR. REYNOLDS: Yes, absolutely.
DR. COHN: We need to be aware that we have sent them already a 16-page document which was the basis of the NPRM, so we should be selective in our comments. Jeff, as I think you commented, the important comments that we need to make, if there are items or responses that we need to
their questions and there aren't actually all that many things that they're asking about, we can certainly make them but we don't need to feel that we need to feel responsible for commenting on every question that they have knowing that some we have already commented on.
MR. REYNOLDS: And since we'll be one of about 2,000 responses, we probably need to be very clear. I did that for Maria's benefit.
MS. FRIEDMAN: Thank you!
DR. COHN: And certainly, there should be no shame in heavily quoting passages from the previous set of recommendations if they are applicable. You know, we can sort of point things out and reemphasize, maybe even further state or whatever, but I don't think that there's any shame in sort of drawing attention back to the original document, which was an excellent document.
MR. BLAIR: Are we able to shamelessly pander to HHS by indicating how we thought that they based their NPRM on excellent input?
DR. COHN: I think that probably would be well taken by us.
[Laughter.]
DR. COHN: Now, so anyway, what we will do I don't anticipate that these will be separate conference calls. I expect that we will be handling the letter and
the NPRM sort of simultaneously so I'm anticipating we will have four conference calls, but we will just need to make sure that we have adequate time in the number of conference calls that we are able to schedule to do all of that and we're just going to have to do what we can.
Obviously, I think our intent and hope was to get this handled by the President's Birthday. I'm hoping at least we'll have one of the two done by that time and maybe the other one done the week after or something on that level. That may be a little optimistic but we will, I think, just all strive to do what we can.
Now, as I think we commented, for those remaining in attendance, these will be public conference calls and we will be posting the information on, the caller numbers and all of that, and as always we appreciate your help and input as we move forward. That's life.
Anyway, any final comments before we adjourn? Okay. I want to thank everybody. We couldn't do this without the help of the staff, and, Maria, thank you, and Marjorie, and Donna, Michael, Jorge and Steve, and obviously Marietta and others and obviously, the wonderful Subcommittee members, and thank you for your work.
With that, the meeting is adjourned.
[Meeting is adjourned at 12:32 P.M.]