DEPARTMENT OF HEALTH AND HUMAN SERVICES

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091

P R O C E E D I N G S (9:05 a.m.)

This is the first day of two days of meetings of the National Committee on Vital and Health Statistics. The National Committee is the main public advisory committee to the U.S. Department of Health and Human Services on national health information policy.

I am Simon Cohn, the Associate Executive Director for Health Information Policy for Kaiser Permanente and Chairman of the Committee.

I want to welcome fellow committee members, HHS staff and others here in person, and I obviously want to welcome those listening in on the internet, and, as always, I want to remind everyone to speak clearly and into the microphone.

Now, what we will do this morning is to start with introductions, and we'll ask the new members to briefly introduce themselves in the course of these introductions, and we'll talk about them more a little later on.

For those on the National Committee, I would ask if you have any conflicts of interest related to any of the issues coming before us today would you so please publicly indicate during the introductions?

MS. GREENBERG: Okay. I'm Marjorie Greenberg from the National Center for Health Statistics, CDC and Executive Secretary to the Committee.

DR. LUMPKIN: John Lumpkin, Senior Vice President, Robert Wood Johnson Foundation.

DR. WARREN: Judy Warren, University of Kansas, School of Nursing and a member of the committee, and I am not aware of any conflicts for today.

MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina, a member of the committee and no conflicts.

DR. TANG: Paul Tang, Chief Medical Information Officer, Palo Alto Medical Foundation, Center of Health, a new member of the committee and honored to be here.

DR. STEINWACHS: I'm Don Steinwachs, Johns Hopkins University, a member of the committee and no conflicts I am aware of.

DR. CARR: Justine Carr, Health Care Quality, Beth Israel Deaconess Medical Center, member of the committee, and no conflicts.

MR. HOUSTON: I'm John Houston with the University of Pittsburgh Medical Center. I am a member of the committee, and I don't have any conflicts either.

DR. VIGILANTE: Kevin Vigilante, Booz-Allen, Hamilton. No conflicts that I am aware of.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and Quality, liaison to the National Committee and staff to the Subcommittee on Standards and Security.

MS. TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services, staff to the Subcommittee on Standards and Security.

MS. MC CALL: Carol McCall, Humana, with our Center for Health Metrics. I am a new member to the committee. Thank you for the invitation. I have no conflicts that I am aware of.

MS. BEREK: Judith Berek from the Centers for Medicare and Medicaid Services. I am currently the liaison to the committee. I am retiring on April 30^th, and Karen Trudel will take over as liaison.

DR. SCANLON: Bill Scanlon. I am a new member of the committee. I'm with Health Policy R&D here in Washington, and I am very happy to be here, and I have no conflicts for today.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member of the committee and no conflicts.

DR. HUFF: Stan Huff with Intermountain Health Care in Salt Lake City and the University of Utah, and a member of the committee, and no conflicts for today. Thanks.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, liaison to the committee.

MR. BLAIR: Jeff Blair, Medical Records Institute, and a member of the committee, and there's no conflicts that I am aware of for today.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville, School of Medicine, member of the committee. No conflicts.

MR. SCANLON: Good morning. I am Jim Scanlon from the Office of the Assistant Secretary for Planning and Evaluation here in HHS. I am the Executive Staff Director for the full committee.

DR. DEERING: Mary Jo Deering, National Cancer Institute and lead staff to the NCVHS workgroup on the NHII.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, committee staff.

MS. BERNSTEIN: I'm Maya Bernstein(?) from the Office of the Assistant Secretary for Planning and Evaluation, and I am also the new privacy lead in HHS.

MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics, CDC.

MS. FRIEDMAN: Maria Friedman, CMS, lead staff to the Subcommittee on Standards and Security.

MS. PICKETT: Donna Pickett. National Center for Health Statistics, CDC and staff to the Subcommittee on Standards and Security.

MS. JONES: Kathryn Jones, CDC, National Center for Health Statistics, staff to the committee.

Now, normally, at this moment, we move right into talking about the agenda, but being the new Chair, I am going to take the prerogative of spending a couple of minutes just talking about the transition and change. It will not be the last time we talk about it today or tomorrow.

Obviously, I, first of all, want to comment that I think we all believe that the achievements of the last several years for the NCVHS have been nothing short of spectacular, and I really want to thank our previous Chair, John Lumpkin, for helping make it all possible. I mean, as we think about what has been going on - the guiding of the initial HIPAA implementation, the visioning of the NHII, the creation of the first set of recommendations for e-prescribing that are now part of the proposed rule, which I know Karen will be talking a little later, as well as letters of great import coming out on quality of populations - I mean, we have - here, we have really the committee to thank for all of this. There clearly is a lot to be proud of, and I want to just take a moment to acknowledge our departing members - John, Vickie - Vickie, I'm not sure why you are back there, as opposed to at the table. Can we have - Can we have you sit at the table, please? We're transitioning. I don't think we think you have left the committee yet. Gene, who I don't think has arrived yet today. Obviously, you will be missed, and we, obviously want to celebrate your contributions, obviously, today and this evening.

In addition, we also want to acknowledge Peggy Handrich, who, while not here, has resigned from the committee, and we, obviously, will miss her. I think that she has provided a lot of valuable input.

Also, I think I should comment that Aldona Robbins, who has a name tag here, but isn't here yet, will be also transitioning off in her role. I think she is finishing off her term on the Bureau of Scientific Counselors, but I think this, at least likely, will be her last time representing the bureau - the board on the committee.

I guess we should also comment about Judy Berek, who has already commented about her retirement, so congratulations.

So, clearly, this is a time of transition, to put it mildly, but, clearly, there's lots more to be done and challenges to face.

You know, we talked about HIPAA. Well, in some ways, the identification of the initial standards may be the easy part. I think the hard part now is to work with HHS and the industry to figure out how to maximize the value of the implementation.

For the NHII, there is an ongoing set of tasks that relate to further visioning out the NHII as well as identifying - I mean, really solidifying it, making it real.

For populations in quality, large issues remain, and we'll be continuing to come forward relating to information needs for the Twenty-First Century.

Obviously, these are just a few of the challenges before us. I think for all of us who will continue on after today I have to say that it is truly an exciting time to be a member of the NCVHS, and we obviously welcome the new members.

And speaking of that, obviously, we are delighted that Paul Tang and Carol McCall - McCall – McCall. I apologize. It is 6:00 a.m. in California. So - (laughter). McCall - and Bill Scanlon, we are obviously delighted that you could join us and we are looking forward to your active participation.

You are obviously joining an elite group. I think the NCVHS - and I think we comment about this as well to staff sometimes when we drive them crazy - but we are really known within the federal government as one of the most productive and hardest-working federal advisory committees.

As you know, we all have important day jobs. So we don't do this because we all have a lot of free time on our hands. The reason we have taken on this additional responsibility is our commitment to a better healthcare system, a healthier citizenry, and, really, a better America, and, obviously, at the end the day, we all have the satisfaction of having our deliberations and recommendations make a difference, and I think that may be one of the defining characteristics of this committee. By working hard, we actually typically do make a difference in terms of the activities of the federal government and the private sector.

Now, when I was appointed Chair a month ago, the first thing I did was to talk to each of the committee members, and I really do want to thank you for taking time to - in your busy schedules - to talk with me about how the committee was functioning as well as opportunities for improvement; and, obviously, we talked to the new committee members also to at least begin to orient you to the workings of the committee.

What I heard from all of you in my discussions was very positive. John, if I were giving you an evaluation - and I have to say this is sort of interesting, because John has provided evaluations from my performance in the last several years - but I did want you to know that we would all be giving you an outstanding in all categories.

You know, John, as you say that, I did notice that there was something about - that I have always been missing about those evaluations and the final step, but thank you for pointing that out. (Laughter).

Clearly, the suggestions we heard from the committee members were really focused on making things better. They were modifications really around really our central activities to make things more productive, to make things work better, recognizing that we have limited resources. I am not going to go into them a lot today. We'll be talking about them, I think, as they begin to appear sort of over the next couple of committee meetings related to sort of specific changes that we'll likely be making - around the structure and functioning of some of the committees, but, you know, I think these are, once again, just sort of changes, not of mission, not really primarily of organization, but really more along the lines of style and all of this. So we'll, as I said, be talking about them. The Executive Subcommittee will be working on them, and we'll be talking about them more at future meetings.

And, actually, speaking of the Executive Subcommittee, I think you all have updated copies of the agenda, but I just want to sort of announce officially new subcommittee members and members of the Executive Subcommittee.

First of all, we have Don Steinwachs, who is going to be taking over for Vickie Mays as Chair of the Population Subcommittee, and thank you for being willing to do that, Don.

DR. STEINWACHS: And those are very big shoes to fill. I'm a little bit scared about my evaluation, Simon. (laughter).

Now, I have also appointed Jeff Blair and Harry Reynolds as Co-Chair for the Standards and Security Subcommittee. Want to thank you both for being willing to do that. I mean, that's, once again, yet another big task.

Now, as has been the tradition, I will be assuming the chair of the NHII workgroup, and this is a tradition that started with Don Dettmer(?) and continued with John Lumpkin, and, obviously, I will take that on, obviously, with all of your help.

Now, one of the things that I will be doing is to be working closely with all of the subcommittees and workgroups and the chairs to make sure we are developing well-articulated, agreed-to goals and work plans that are timely and relevant, and so you'll likely see me jumping in out and out of some of the subcommittee and workgroup meetings over the next couple of days, but I think, in this transition, it is really a time to reflect on the goals, the work plans. In some of our cases, we'll be likely to be holding hearings to get public and governmental input as we begin to develop these work plans, and, once again, it's just a time of reflection and change.

Finally, I do want to tell you how appreciative of the contribution from both Vickie and John.

Obviously, Vickie is our departing Chair on Populations. Obviously, I want to thank you for being willing – I mean, the good news - both of them - is that they are not going to go away very quickly. Vickie, in her case, is going to remain as a consultant to the committee to help us move forward with the very important Populations Report, which we'll begin to hear about today and we'll, hopefully, be acting on in June.

I have also asked John to continue as a special consultant and advisor to the Executive Committee, though I was actually, this morning, mulling about whether we needed to include the NHII as part of that, but he and I will have to talk about that, but I think we have all benefitted from his involvement in the NHII, as well as the NCVHS, over the years, and I, obviously, think that the committee would be well advised to ask for his continued counsel and guidance.

Now, there is honestly a lot more that I can say, and probably will as the day proceeds, but, obviously, we have a full agenda. This was actually taken out of the first part of our agenda, and so I want to return to the agenda and just sort of review what we are going to be doing today just so that everyone is aware of what the schedule is going to look like.

DR. COHN: This morning, we begin with an update from the Department. We'll have Jim Scanlon from ASP, Karen Trudel from CMS and Susan McAndrew from OCR providing an update, and, obviously, thank you for joining us.

Then, we'll be considering a letter on medical devices. Mark Rothstein will be bringing that letter forward for discussion and possible action.

After the morning break, we will begin the discussion of the second set of recommendations on e-prescribing. Jeff Blair and Harry Reynolds will be bringing that letter forward for discussion.

After lunch, there will be a review of a draft letter coming from the committee of comments relating to the proposed rule on e-prescribing.

Then there'll be a brief populations report, which I think, Don, you and Vickie are going to be sort of reviewing briefly, where we are with that, and trying to prepare the committee for further action in June. Correct?

Okay. And we'll spend just a couple of minutes on the 2003-2004 NCVHS biannual report.

Then, we are pleased to have David Brailer, who is the National Information Technology Coordinator, joining us for an update on current initiatives and issues.

Now, from three to five, we break into subcommittee sessions. We will talk about those rooms later on, but Subcommittee on Populations and Subcommittee on Standards and Security meeting at the same time. Then at five o'clock, we'll have a shortened meeting of the workgroup on the NHII, maybe from probably 5:00 to 5:30 or 5:45.

Again, we want to thank our departing members for their major contribution. John, you in particular. The committee is much better off through your chairmanship over the last number of years and we want to thank you.

Since we met in - I guess it was last November, obviously, a number of changes have occurred, both at the Department and with the committee itself, and let me go through a few of those things and talk a little bit about where we are with budget planning and some of the data initiatives across all of the Department.

Karen will talk about where we are with HIPAA, and Susan will talk about where we are with the HIPAA privacy regulation, so I won't be dealing with that.

But, first, I would like to add my own welcome to the new members. I spoke to most of you in the recruitment process, and we are very pleased, not only that you could come, but that you could actually make it for this meeting as well. Actually, the wheels turned fairly quickly once we got to that point. So we are very happy to have you here.

And, again, I wanted to add my own thanks and appreciation to the members who are Vickie, John, Gene and Peggy, who are rotating off of the committee, and I hope, again - as the Secretary always says in his appreciation letter to members who are retiring, we would like to be able to feel free to call on you as the need arises in the future, and I think we probably will do that in these cases as well.

We have actually had a couple of other personnel changes that effect the committee as well. Well, first of all, I should start at the top, I suppose. We have a new Secretary here at HHS, Michael Leavitt. Secretary Leavitt comes to HHS from the Environmental Protection Agency, which he headed for the past couple of years, and, before that, he was the Governor of Utah for a number of years, a number of terms; and, actually, by all accounts, he is actually quite savvy in terms of information policy, information technology, and he is actually quite interested in moving this whole agenda forward. So Utah, I think, has had a number of - Stan - was associated with a number of health-information technology developments, the Utah Health Information Network, and a number of other very positive and very pioneering efforts in Utah. So, hopefully, the Secretary will help us push these forward as well.

In my own office, and associated with the committee, I am happy to announce that we have hired Maya Bernstein as our privacy expert, privacy advisor at HHS. She is the successor to John Fanning. She'll be - I didn't say she "replaced", I said- (laughter). Maya.

MR. SCANLON: Yes. But Maya, actually, is quite capable in her own right. Maya is well known at the national and federal level for privacy expertise. She has been - held senior privacy positions at OMB. She was the privacy advocate at the Internal Revenue Service - talk about sufficient training for HHS - (laughter) - and she has had a private consulting practice and a law practice in information policy and privacy policy. So we are very happy to have Maya join us here. This is really her second week, and she'll be transitioning in as the lead staff for the privacy subcommittee.

A couple of words about our budget, where we are with the various budgets, because they effect a lot of what we can do, generally. We now have, as you know, an appropriation for Fiscal Year ‘05, and I'll talk a little bit about what that includes.

The President sent his budget up a little more than a month ago, and this is the ‘06 - Fiscal ‘06 budget, and it actually contains a number of the health-information technology investments that we had begun earlier, and let me just mention specifically what they are. There's a $125-million investment for health-information technology. Seventy-five million is requested for the Office of the National Coordinator for Health Information Technology, David Brailer's office, and that would include authority for grant and contract programs as well.

The focus would be to provide strategic direction for the development of a national interoperable healthcare system to encourage clinicians to collect and collaborate with international health information technology network.

And, again, the ‘06 budget will continue the $50 million initiative we began in ‘04 at the ARQ(?), at the Agency for Healthcare Research and Quality. This is a grant program, demonstration planning and implementation grants to accelerate the development, adoption and diffusion of interoperable information technology in a range of healthcare settings. So that is also included in the ‘06 budget, and the ‘06 budget also includes, I'm happy to say, a continuation of our $10-million data-standards - again, which we began in ‘04. This is funding that really allows us to do a number of the developmental work on a number of data standards in the prescription-drug area. It provides support for a number of mapping activities that the full committee has recommended, and this is administered by the Agency for Healthcare Research and Quality.

Mike, I think we had some good investments last year, and we'll be looking at what the ‘05 investments will be, and we'll be asking for the committee's advice there as well.

MR. SCANLON: On the population statistics side, I am happy to say that the budget that was actually enacted for Fiscal Year ‘05 included some good news for population statistics. It included a $25-million increase for the National Center for Health Statistics. I think I briefed the committee on this previously. This was the amount we estimated was needed to sort of maintain and protect and transform some of the core data systems at NCHS, everything from vital statistics to the health interview survey, provider surveys and methodology research. So without that, I am afraid we would be in fairly dire straits this Fiscal Year. Now, I believe we are on a fairly good footing. I think Dr. Sondik, tomorrow, will brief the committee on the state of the center when he comes before the committee.

This particular reinvestment was the Data Council's highest priority, recommended, included in the President's budget and Congress enacted that. So we are very pleased that everyone saw that as a very high priority, and, even better, that has continued. It wasn't a one-year kind of initiative. It actually continues at that level for Fiscal Year ‘06. So it is a boost that goes on for NCHS.

Within HHS, this is the time of year - February and March - where the Data Council does its more or less program review of where we are with the various surveys and major data systems across HHS. So at our March meeting next week, we'll be looking at - across all of the agencies about where, for planning purposes, the various surveys and major data systems are.

Again, this is just within HHS. We'll be looking at are there any enhancements, are there any retrenchments, are there more or less - services, operations planned for most of our major surveys, but we do want to get a sense of where we are now that the budgets are clearer and where we are heading in the next year or two.

The budgets for ‘06, in general, are fairly tight for all federal agencies, but, in general, it looks like our major statistical activities are being supported, for the most part, at the current services level, which is actually quite an accomplishment.

Let me quickly go to a couple of things the Data Council is looking at. There are four areas that leadership in HHS asked for a departmental kind of a perspective on, how are we doing in these areas in our data activities and what kind of gaps are there and what kind of enhancements and collaborative opportunities do we see in the months ahead.

The first area that we were asked to look at is in the area of prescription-drug data. This is associated somewhat - largely with the Medicare Modernization Act, Part D Program, but beyond that as well, we have a working group looking at what is our current capability for statistics, research and programmatic data on prescription drugs, and then what are some of the gaps and what are some of the enhancements that we could move forward on, and we have actually got a couple of enhancements moving forward in terms of prescription-drug data collected on surveys. We have some improvements going on there.

A second area is to look at national health insurance data and related data, but largely national health insurance status data, and, as you know, a number of our surveys here at HHS, and one at the Census Bureau, provide more or less annual estimates of the national health insurance coverage in the United States, the uninsured population - coverage exists as well. We don't always get the same estimates from those surveys, and so we have been - and this has been known for a long time. They actually measure somewhat different things when you look at them more closely, but we are looking at can we get a better understanding and a comparative framework across the surveys? Do we understand why the variations occur? Do we understand what the measures are, and are there opportunities for collaborative research in analytical work, modeling and so on in those areas across our various surveys? And we've actually got a number of good projects that are being considered in those areas as well.

And in these we include - in these discussions, we include not just the HHS agencies. We include the Census Bureau, the Treasury, the GAO, the CBO and the Congressional Research Service and other agencies that use the data and even collect some of the data.

Two other areas, quickly. We have begun to look at - after looking at the national-level data estimates for health insurance, we have begun to look at what capabilities we have for state and local data. The initial focus is on survey estimates for health insurance data, and, again, we have a little bit of capability in HHS, and the Census Bureau has some of this capability as well. We are not as far along there, but we will be looking at what might make sense for enhancements.

And, then, finally, really, at our December meeting of the Data Council, we - and, again, this was at the request of HHS leadership - we began to look at how we measure income and wealth and related data in our major surveys.

In most cases, we are measuring income and wealth as a correlate to understand health and human services, not to make - HHS doesn't make estimates of national income particularly - and how the various surveys compare in their measures, what the strengths and the weaknesses are, and, clearly, there are a couple of opportunities there for some enhancements and improvements as well.

DR. COHN: Well, actually, I think Sue McAndrew has to leave shortly. So I think - if it's okay - can we hold the questions until after Sue has had a chance to present? Is that okay? Great.

MS. MC ANDREW: Thank you very much. I apologize to the committee. I wound up with a conflict this morning so will have to make this relatively brief.

I did want to let you know that there are three new areas of FAQs that have gone up on our website recently. The first is a suite of FAQs attempting to clarify the permitted uses and disclosures of health information in the context of litigation and what the differences are between requests that come to a covered entity as a third party and what the permissions are if the covered entity is itself a party to the litigation. So we have tried to work out those clarifications, and, last week, Rick Campanelli(?) was down in Florida speaking to the American Bar Association's health group and that was one of the things that was on the agenda for them. So we were quite happy to get that set of FAQs up.

We also have just recently posted two other FAQs, one on clarifying how health plans can continue to provide information to the child support enforcement agencies through the National Medical Support Notices; and the newest FAQ concerns the permissions surrounding the use of interpreters, largely language interpreters or interpreters for the hearing impaired, and the various ways in which those interpretive services can be provided to patients.

This presented us with an interesting crosswalk within - because we had a chance to merge the privacy side of the office with the civil rights side of the office because they also do the LEP guidelines and we were able to crosswalk the two provisions.

On the compliance front, just briefly, we are up to 11,258 complaints and we have closed 63 percent of those - my rough count this morning. This is through the end of February. The nature of the complaints and the entities against who they are filed remains pretty much the same, and so I won't go back over that.

I would just also like to say that we have - we enjoyed the hearings that the NCVHS Privacy and Confidentiality Subcommittee had, which I guess was also last week. Oh, my God, yes. How time flies. What happened last week? And we are really - we found those to be very - provided a lot of good information, and we are looking forward to the hearings in March out in Chicago.

One of the other things that is causing all my calendaring issues is that we also - there are going to be changes in the privacy team. We are doing a good bit of hiring, and there will be - we are looking for - looking to put people in some leadership positions. I believe there was just posted that there will be an SES position in the office for privacy at the deputy director level. So there will be changes a-coming for the privacy team.

DR. FITZMAURICE: Yes, I wondered how many cases have been referred to the Department of Justice for criminal prosecution and have there been any convictions? I know that there was a case, I guess, in Washington. Somebody used information for credit cards. That question arose. He pled guilty to the privacy rule, but they are not sure whether it was a privacy-rule violation because the person might not have been a covered entity.

I probably am muddling all of this. I wonder if you could make some sense of how many cases have we referred and have there been any convictions?

MS. MC ANDREW: I didn't get the most recent count. As of the end of January, we had referred 170 cases, and, in addition to those referrals, we also - Justice advised when there are stories - pressure - other events that come to our attention, so we do informal referrals as well.

With regard to the Washington case, that was - as I understand, that was a guilty plea which was entered and approved by the judge, and so -

MR. HOUSTON: Any movement on trying to get the statistics we talked about and will this hiring help us at all?

MS. MC ANDREWS: The hiring is going to help us because there hasn't been much movement to date.

DR. FITZMAURICE: Are there any proposed changes in the privacy rule coming that we could expect in the next year or year and a half? Is somebody looking at proposed changes and might you be coming out with something in the next year, year and a half?

MS. MC ANDREW: We always are looking at changes. I think now that we are up on our second anniversary, it is time to consider what those issues are and to look at them in terms of much more experience. In the early - in the first year and a half or so, it was a little too soon to figure out whether this was just initial compliance glitch or something that was really troubling with the way the rule was written. So I think we now have enough experience that we can begin seriously assessing whether or not additional changes need to be made in the rule.

DR. TANG: Is there any thought about exploring how this might impact PHRS, Personal Health Record Systems, particularly when their data is contained in systems that are owned and operated by a third party that is not a covered entity?

MS. MC ANDREW: We have been working closely with Dr. Brailer's people, in terms of all aspects of the rollout of the electronic health record and the national health information infrastructure, and, to the extent personal health records are a part of that, we have been involved in those conversations.

Right now, we are more or less statutorily constrained to the extent those third parties that are operating personal health record systems are doing so in connection with - as an outgrowth of a plan. I would expect that there would be a business-associate relationship between those entities under the rule as currently structured, and even to the extent they become involved in some sort of network, I would also expect that there would be a business-associate arrangement that would protect the information that they hold, to the extent that they are, right now, independent vendors that are largely dealing directly with consumers to set up these accounts. Then, to the extent they are getting the information directly from the consumer, they really are outside of the rules purview and a statutory change would be needed to change that relationship.

I have sort of asked this type of question before, but I am wondering if there is any progress within HHS - I realize this is not necessarily your purview necessarily - but over trying to examine a bit more some of the various costs as well as benefits of the various - not just the specific privacy, really with the privacy concerns in general and how they play out. I mean, it plays out - probably play out in one sense with personal health records, but I can think of a whole range of other issues.

I am just wondering whether there is some systematic way or rigorous way within the department to try to get at the cost as well as the benefit side of it, not so much legislative proposals, but at least to outline the extent to which - what we know or don't know about how these things are playing out.

MS. MC ANDREW: I suspect that that is more of a Jim question than a me question, but -

I think what we started to do is - and I don't know how - there is thought being given to how would you - I'm not sure it costs so much as how would you - what kind of metrics and measures and data would be needed is the first step, Gene, I think, to even assess. Obviously, the first two years were focused on just getting HIPAA simplification and privacy rules in place and getting some experience with the actual operation.

We actually have some - for our research and evaluation plan, at least within my office, and this would be an interagency effort.

We have a proposal to begin to look at what measures and metrics and data would be necessary to go in that direction. So it's the - it's not even - it is the step that would precede that, and we probably will be seeking some advice from the committee on how do we even conceptualize how you would measure benefits, costs and progress and indicators.

MS. MC ANDREW: I think teasing costs for this function out of all the other costs that effect the industry.

DR. COHN: Yes. Yes. Richard is next, but I just had a clarification on your comment. Is this something that your new staff is going to be taking the lead on?

MR. SCANLON: Yes. We are doing our research planning within ASPE - this is our policy research plans, and so, at the moment, it is a proposal.

DR. HARDING: Gene has mentioned that it was a repetitive question, but I, too, have the same repetitive question, because everywhere I go, when people find out that I have something to do with HIPAA, they ask me the same question - that is, providers - and that is around the issue of these 170 cases referred to Justice are any of them because of omissions of HIPAA regulations?

That is, doctors come up to me, if I don't have the screen on my television that is directional or on my computer monitor that is directional, am I going to jail? And I have been able to kind of comfort them a little bit that certainly you should have those kind of things, but that isn't what Justice is all about right now with HIPAA. Is that still an honest answer?

MS. MC ANDREW: Yes. I mean, first of all, Justice is really only taking cases and they only have jurisdiction where there has been an impermissible disclosure. So, to the extent that the screen is not perfectly tilted, that is more of a safeguard issue, and it'll take several other things to happen before it would be even something that would come to the attention of Justice.

DR. HARDING: You would still describe these 170 cases as being rather egregious?

MS. MC ANDREW: They are quite - they are the most serious types of breaches of confidentiality.

MR. ROTHSTEIN: I just wanted to clarify for some of our new members that Gene's question earlier and Jim's response about the studies that are needed to measure the costs and effectiveness of HIPAA, the NCVHS already is on record and has sent a letter to the Secretary recommending that such a system be established. So we are committed to that as a committee, and I am pleased to hear from Jim that we are finally going to be moving forward on that.

Okay. Well, Sue, thank you very much. We appreciate your time, and I know you've got multiple things going on.

MS. MC ANDREW: Thank you, and I apologize for the shortness of the presentation.

DR. COHN: Karen, I think I am going to suggest that why don't we let you go forward and then we'll handle questions for both you and Jim sort of together in discussion for the remaining period.

Actually, I am going to spend most of my time here providing a little bit of an overview of the e-prescribing proposed rule, and I'll start with some important dates.

The proposed rule was announced by the President and went on display on January 27^th. It was actually published in the Federal Register on February 4^th, which makes the 60-day comment period ending on April 5^th.

First of all, I would remind you all that the NCVHS had a very specific role that was set out by the MMA, and, in the regulation, we do talk about the NCVHS role, the process, the hearings that went on with scores and scores of stakeholders through the spring and summer of last year, and the regulation does track very closely with the committee's recommendations, and as I have said before, I think that hearing process stands as a model of public-private consultation and probably sort of a shining example of what a federal advisory committee is supposed to do and look like.

The MMA does state that standards for electronic prescribing will be pilot tested before adoption, and that the Secretary is to announce the initial standards that will be pilot tested by September of this year.

The law also leaves us with a little bit of an escape hatch, because it talks about an exception for providing - for going straight to adopting final standards in situations where there is already adequate industry experience with a standard, and that is a very important concept in this regulation. We very definitely hung our hats on that big time.

So what this regulation does is that it sets out a number of what we are calling foundation standards. They are building blocks that will allow us to enter into an electronic-prescribing environment. They don't have all the functionality that we will need, by any means, but they are a very good place to start and to build on.

The regulation talks about what those foundation standards are. It also explains our incremental strategy that we are starting with these foundation standards, that we will layer other functionality on the top, and that, ultimately, we do not expect to be developing these standards in a vacuum, that these are not to be a Medicare Part D e-prescribing silo, nor are they intended to be an e-prescribing stand-alone that never links up with an electronic health record. So we are standing at the beginning of a road. We know where the end of the road is, and we are soliciting comments very specifically on our strategy from getting from Point A to Point B.

The other thing we discuss in fair detail is state preemption. We know that is a significant issue. A number of presenters have talked to us about the fact that various state laws and regulations, because of their differences across the states, can serve as a barrier to e-prescribing on a national basis.

Let me talk a moment about the foundation standards, and there are three of them.

First of all, obviously, you need a standard to get prescription data to and from physicians and the pharmacies that they are sending the prescription to, and, for that, we have proposed the NCPDP SCRIPT standard for a variety of uses - new prescriptions, refills, changes, cancellations, and there is some ancillary messaging acknowledgments, et cetera, that are necessary to make those transactions run smoothly.

We are not proposing the standard right now for the fill-status process where the pharmacy can tell the physician or the prescriber that the prescription was not filled, was not picked up. The reason that we did not propose that was that we found, during the testimony, that nobody felt that there was adequate industry experience with the use of the SCRIPT in that context. So that is something that we'll be reserving for the pilot-test process.

And I would point out also that the SCRIPT standard is an already-identified standard under the Consolidated Health Informatics Initiative. One of the things that the committee recommended was that, to the extent possible, we stay consistent with CHI and HIPAA standards that are already in place.

The second foundation standard is for eligibility and benefits inquiries and responses going between the prescriber and the sponsor - you'll note, not the pharmacy and the Part D sponsor - and for this we are proposing the X12N270/271, which is already a HIPAA transaction and is already in use in the industry, including any prescribing applications.

And the third foundation standard is for eligibility and - I feel like I am doing the Academy Awards - (laughter).

MS. TRUDEL: And the third nominee is for eligibility and benefits, inquires and responses between dispensers, pharmacies and Part D sponsors, and, for that one, we are proposing the NCPDP Telecommunications Standard which is, again, already adopted under HIPAA as the transaction for the retail pharmacy drug claim and ancillary messaging. So that one is very definitely in extremely widespread use throughout the industry.

Now, we hit a kind of a hybrid because we looked at formulary and benefit information and medication history information, and, again, these are absolutely critical in that they get information to the point of prescription so that the physician is aware of any formulary restrictions. They are aware of any tears in the formulary, and they are aware of not only the medications that they have prescribed for the patient, but that other physicians may have prescribed for the patient, which is critical to patient safety.

When we looked, however, at the existing mechanism for communicating that information back and forth, we found out that, while there was at least one standard in fairly widespread use - these were proprietary formats in use developed by RxHub - that they were not accredited by any ANSI-accredited SDO, and we were not absolutely certain that there were no other candidate standards out there.

So rather than proposing to adopt these non-ANSI-accredited standards, we chose to instead propose some criteria that we would use, characteristics that we would use to adopt or to identify standards for formulary and benefit information and medication history.

One was that they be accredited by an SDO and also that they permit interfaces with multiple products and vendors to make sure that they would work, again, on an industry-wide basis and that we were not building up some sort of a silo that would prove to not be interoperable at a later time.

We also set out some other criteria, both for formulary and benefits and for medication history. There's an awful lot of verbiage on that screen, but the bottom line is that for formulary and benefits, we wanted a uniform means to communicate a wide range of formulary and benefit information; that is, that we did not want the standard to constrain how a plan might structure its formulary - whether or not it had tears, how it expressed the formulary. We wanted the standard to be flexible enough that it could take any structure that was there and communicate it accurately.

For medication history, we wanted, again, a uniform means of requesting and providing listings of drugs, and we also wanted to make it possible to restrict the prescriptions to certain time frames, so that you would not necessarily get back two, three, four or six, eight, 12 months of information, if all you wanted was the last three.

So we also solicit comments on these criteria, and, again, on what specific standards, including RxHub, might meet these criteria. So we are open to potential other candidate standards, although I must say that in the course of the very detailed testimony that the subcommittee heard, no other potential standards kind of bubbled up to the surface.

And, again, just sort of a postscript to this, the industry kind of got where we were going with this very early on, and RxHub volunteered to donate, essentially, its proprietary format as a basis for a standards development organization and SDO-accredited product.

They had been working with the National Council on Prescription Drug Programs and have been working to potentially get those RxHub proprietary formats for formulary and medication history through the SDO-accreditation process, which would then meet the one criterion especially that these proprietary formats did not previously meet.

A word of caution there. This process is still ongoing, and the subcommittee is committed to continuing to monitor that progress. If the standards come through the process, however, and they have changed significantly, there is a need to go back and look to see whether, at that point, the product that comes out at the final analysis continues to meet the requirement of adequate industry experience, because the standards, as they now are, do have adequate industry experience. If they change too much, we may be back to the drawing board and those standards may wind up being part of the pilot test and would not go into effect until 2008, 2009, rather than being part of the Part D program in general coming up in 2006. So that is a critical one that we are watching very, very closely.

Okay. The first set of standards, as I said, does not represent the full set of standards necessary for e-prescribing, and that we will - HHS will identify, as required in the MMA, a set of initial standards to be pilot tested in 2006; and, again, the committee's initial recommendation letter from last September already identified for us a number of potential standards that we do need to test, and we will be - once that process is finished - then going through a separate rule-making process to build those new standards on top of the foundation standards; and, again, we request comments on this incremental approach.

The state-preemption issue, which, as I said, was rather critical, in the regulation, we talk about the fact that there could be several ways to do preemption, one that would only apply to transactions and entities that are part of an electronic prescription drug program under Part D - in other words, it would be Medicare Part D limited - or we could apply it to a broader set of transactions and entities and say we are preempting just about everything for just about every e-prescribing application.

In the proposed rule, we take that first narrow interpretation and, again, invite public comments.

Another issue that is discussed in the regulation is the use of the National Provider Identifier, which is a HIPAA standard to identify both prescribers and pharmacies that are actually dispensing the prescriptions. We are in a sort of a time crunch as far as that is concerned, and I'll talk a little bit about the NPI later.

In terms of the NPI-enabling regulation, covered entities would not be required to use their NPIs until 2007. If we were to adopt and implement the NPI in e-prescribing, it would have to occur initially in 2006, and so we are asking for comments on the potential impact of accelerating that by a year or more.

And, again, there was a lot of discussion about the use of standards within an enterprise. For instance, a staff model HMO that has a pharmacy, the entire prescription transaction could be taking place within one entity where the physician who writes the prescription, the pharmacy that dispenses the medication and the plan itself that is bearing the risk are all part of the same umbrella organization.

The NCVHS recommendation was to exempt those transactions within an entity because, in many cases, entities of that sort that have already implemented e-prescribing have done so with HL-7 standards rather than the ones that we are recommending.

In the NPRM, we communicate that recommendation, but we note that the notion of standards within an enterprise is inconsistent with the way HIPAA administrative simplification treats that issue. Under HIPAA we require that a standard be used even within an enterprise as long as it meets the definition of what that HIPAA transaction is. So we are soliciting comments on that issue.

Let me talk a little bit about pilot testing. As I said, the pilot tests are required in calendar year 2006. We will soon be soliciting applications. We are working on a Request for Proposals right now, and we expect that we will provide some criterias to what will be included in the pilots. We will do this in full and open competition, and, again, the participation in pilots is completely voluntary.

The structure of the pilots will probably follow, in many ways, the NCVHS recommendations, and we have already done an analysis of existing e-prescribing programs that are in operation. That will inform the discussion as well, and, at the end of the pilot process, we will be required to do a report to Congress in 2007, and then promulgate final standards no later than April of 2008.

So those subsequent milestones we finish, hopefully, in 2008, and that completes my presentation on e-prescribing.

Let me talk a little bit about the security compliance deadline that is coming up on April 20^th of this year. I am sure that, again, security compliance and enforcement, because it is very closely linked to privacy enforcement, is, again, probably raising the same kinds of concerns that Richard mentioned earlier among practitioners, and I want to state, again, very clearly, that the security process, like the privacy process, is complaint driven. It is not audit driven. We realize that many security complaints may have a privacy aspect to them and vice versa, and we have been having very intensive discussions with the Office for Civil Rights to sort out how we are going to collaborate on processing dual complaints and how we are going to decide which complaints have privacy or security implications.

We are looking at a one-stop-shopping kind of perspective where the complainant doesn't have to work out, well, this is a privacy complaint, so it should go to CMS or it is a - OCR or it is a security complaint and it should go to CMS. Wherever the complaint is initially submitted, we will all take a look at it and the service will happen from the agency that receives the complaint, but we'll take care of sorting out who needs to do what, and, hopefully, that will make the process a little bit smoother.

Also wanted to say that we are in the process of final clearance of a number of technical materials having to do with security, some frequently-asked questions that have been cropping up over the last months and some technical papers on security - a whole series of them - not dissimilar to the ones that we developed for HIPAA transactions and code sets.

Let me talk a little bit about the NPI as well. The effective date of the regulation is coming up in May. You remember the effective date of the regulation was put off so that we could make sure that we were able to assign NPIs as of that date. So the compliance date is now in May of 2007.

We have selected an enumerator contractor. It is Fox Systems, and so they are on board. We are working on system testing on the system itself. The enumerator is there, and we are in the process of planning some fairly intensive outreach over the next two to three months to make sure that providers are aware of what the NPI is, what the deadlines are, how you get one, what does it all mean, et cetera.

And I think that is all I wanted to report, and I would be happy to take questions.

DR. COHN: Well, Karen, thank you very much, and I would comment that while we did not choreograph this, at least I don't think we did, we were wondering how to give everybody a little bit of a background on e-prescribing. So, thank you very much.

MR. REYNOLDS: Karen, security is probably the quietest of the HIPAA implementations, at least it appears. Are there any areas – well, first, do you think that - are really moving forward, and, second, are there any particular areas where the rule that you think are the biggest problems?

MS. TRUDEL: Yes, from the industry surveys that I have been seeing, I clearly can't say that 100-percent of covered entities intend to be compliant by the deadline, but the number is fairly high and it is moving in the right direction, I think.

I guess the implementation is quiet because a security violation will not stop cash flow, and because security, from a patient's perspective, is a little bit harder to assess than, for instance, did I or did I not receive a notice of privacy practices. So I think that that kind of contributes to this.

I think, in terms of potential hot spots, that the main one that I see is just communicating the concept of risk analysis and risk management and making sure that covered entities, especially the smaller ones, understand what benefits we have provided to them by the flexibility and the scalability and the fact that solutions don't have to be technical and that they don't have to be expensive. Those are some of the things that - messages that we are trying to get across.

And I should actually comment that since Jim Scanlon missed his chance for questions, he is fair game, too. (Laughter).

The tech papers that you talked about being made available for the security role, are any of them going to relate to medical equipment?

MR. HOUSTON: Okay. Thank you. That is the first question. The second question, you had talked about the complaint process and how you are going to manage inflow of complaint. There has been a lot of discussion about JCHO and its desire to potentially involve itself in assessing organizations' compliance, the security role or looking at security-related - healthcare provider.

Is that going to be an avenue for complaints or information coming back to your organization or would that be separate and distinct and -

We have not had any discussions with the joint commission on an official role for them. We do have some contracted resources, but they would be what we would use to actually do assessments should we exceed the capabilities of our own staff resources, and we don't communicate information to anyone on open complaint. So we are certainly not going to communicate information to the commission.

MS. TRUDEL: And unless the commission were actually to file a complaint, we would have no way of knowing that there was any kind of a violation.

My comment flows from Jim's statement, but only indirectly, and I would like to propose a change in our committee website that I think will make it easier for committee members and the public to follow what has happened as a result of the recommendations that we make, and so what I would propose is that where we list the letters that we send to the Secretary we link to the responses that the Secretary has given to the letters and put the date of the response, et cetera, and, if it is easily achievable, link to other things that have occurred as a followup to our letter. So it may be a guidance document that was issued by CMS or OCR or FAQs or something.

There are practical limits to the extent to which we can keep updating all of our letters, but I think, based on, for example, press calls that I get and inquiries from colleagues, it would be very helpful if we try to do a better job of documenting what has happened as a result of our recommendations.

DR. COHN: Well, I guess we should ask Jim about that, since we are directing it towards him. I think - the initial idea seems to be - should be very doable, I would think.

Now, we do publish on the website the responses from the Secretary, but, you are right, they are not linked, Mark, necessarily, to the incoming, but we can certainly look at that. Any way to make it more user friendly.

Now, there may be a practical limitation on when we begin linking to related actions, as a practical matter that may not be -

MR. SCANLON: But, certainly, directly related papers, reports and guidances and so on, we'll try to do that. So we'll look at that.

DR. COHN: I would just say, to follow that one up, I think that, certainly, the first step sounds very easy. I think the Executive Subcommittee will have to monitor, discuss that sort of next step, because, conceptually, I think we all agree, it makes sense, but a lot of times, you know, we influence actions. We don't directly -

DR. COHN: It's not a one for one, and so I think we just need to be a little careful, because, in some ways, that is beginning to take credit for things that we may - (laughter) - may be inappropriate to be taking credit for.

But I think that is an Executive Subcommittee thing and we can sort of monitor that and report back to you.

I'm not sure whether this question is most appropriately going to be addressed by Karen or by Jim, and I'm going to just say a couple of words for some of the new committee members or folks that may not be familiar with some of these things.

You know, we went through kind of several years when we were very focused on the standards as directed by HIPAA, and then we had a few more years where we were very focused on NCVHS as we got to clinical data standards where the Consolidated Health Informatics Initiative was kind of the main group that we worked with, and there's been a few references now to the emergence of the Federal Health Architecture, and I was wondering if either of you could help us understand what role that will be playing and how does it relate to - and, also, in specific, does it replace CHI? Does it - it compliments CHI or is it just a next step?

I think we are planning - we actually talked about this in the Executive Committee. I think we are planning to - the Federal Health Architecture is an interagency federal group that includes DOD, VA, a lot of our HHS agencies and a lot of the other agencies that have - that are involved somehow in the federal health and public health enterprise, and it is - certainly, OMB looks on it as kind of an interagency way of coordinating and helping with the broader issue of coordinating health information technology in the federal sphere.

It includes the CHI. The CHI is an element within the Federal Health Architecture.

But I think you are raising the question that we are all sort of beginning to consider again. I think David Brailer, in a way, alluded to this in one of the letters to the committee. I think maybe what we - Because the Federal Health Architecture is now an interagency activity, we may want to have them come in and brief the full committee on what the scope and the nature and plans and the deliverables for that whole effort are.

I think David Brailer was actually asking the committee to serve in a review capacity for recommendations that would be coming out of the FHA.

The CHI is within the FHA - I think I am stating this correctly, Karen - but the FHA includes other activities as well. It probably will include architecture kinds of considerations and frameworks and possibly some other broader things.

So I think the timing is probably right where we want to think about bringing, maybe, a briefing on the FHA to the full committee, probably, Simon, at a future meeting.

MS. TRUDEL: And if I can follow up, the FHA's Program Management Office is being run from the Office of the National Coordinator.

The CHI is a workgroup under the FHA, and many, many of the same participants continue to be involved, including CMS, DOD, VA, and so there is continuity there, but the sense was that, as of this point in time, events have kind of caught up with us, and it did not make sense to continue to have CHI in a capacity that was outside the general discussion of a health architecture, because the standards and the vocabularies are such an integral role in developing that architecture. So I kind of view it as being a - not a demotion of CHI, but a very necessary linkage point.

I have actually already invited the FHA to come and present in June. So there will be a briefing. I am expecting, based on my initial understanding, that this will likely generate - I mean, there needs to be a briefing at the full committee, but I expect that it will be generating some subcommittee action, in terms of further investigation, hearings, et cetera, but I think it is too early yet to really say exactly what that will be, but, certainly, is a - I think the full committee needs a briefing on this, and it is - I think, from my view, it is CHI and a whole lot more. Clearly, it is an architecture, not just a set of data standards that deal with domains.

Now, Mike, you have a question, and I think, after that, we are going to have to sort of complete this section and then move into our letter.

DR. COHN: Oh, is there - Oh, I'm sorry. Carol had a question. Okay. You're the last one then.

DR. FITZMAURICE: Karen, at the last full meeting, Nathan Koladne(?) presented to us and gave us a number of HIPAA complaints, number resolved, percent of Medicare claims that are compliant with the transaction and the code standards and their implementation guides.

Who is the head of the office now, and do you have those same kind of statistics that you could give us?

MS. TRUDEL: The directorship of the office is currently vacant and I do have statistics. I have not brought them with me. I can recall, off the top of my head, our rate of closing complaints is at about 53 percent, that many of the complaints we are receiving have to do with either trading-partner-agreement problems, where one party is alleging that the provisions of a trading-partner agreement either are counter to HIPAA or there are situations where inappropriate charges are being made, and, also, many of the complaints have to do with allegations that compliant transactions were rejected by a health plan.

Most of the complaints continue to be filed by our own behalf of the providers, and, in terms of the Medicare percentage of compliant incoming claims, we are hovering at about 99 percent of compliant incoming transactions.

DR. FITZMAURICE: Well, and could I follow up with a presentation you made on what dates will physicians be able to request and on what dates will they be able to receive their National Provider Identifiers?

MS. TRUDEL: It is my understanding that the system go-live date, where NPIs could be requested, is still somewhere around the end of this coming May.

DR. FITZMAURICE: And they then should be able to receive them in a month or two after that?

MS. TRUDEL: Well, the process is primarily web based, so depending on any kind of additional information that might be needed, it would be possible to get one almost immediately.

DR. COHN: John Lumpkin was asking me if he could get a special vanity number. (Laughter).

MS. MC CALL: Yes, I wanted to ask a question about one of your - I guess one of your first-runner-up foundation standards from this morning, and it has to do with the formulary and benefit medication history.

You talked about the fact that no other standard had bubbled up and that you are monitoring that one closely, and so while I certainly understand - because of some of the things I have done in my work history - that they need to be very flexible, and, yet, if they went into pilot, as opposed to foundation, there could be a material impact on adoption, because it could significantly enhance the experience of electronic prescribing and all that.

So with that as context, my question is what do you think the likelihood will be of the significant changes that could come out from the comment period? What have the comments been to date? And some of this is a little bit of history for me, being a new member, just trying to understand through this comment process and soliciting comments back, the likelihood that it would end up in pilot as opposed to foundation.

MS. TRUDEL: I think there are a couple of different questions kind of intermixed in there.

The comment process, under the Administrative Procedure Act, goes for, as I said, 60 days. The comments will - the comment period is up on April 5^th.

Traditionally and historically, we receive 98 percent of the comments within three days of that deadline. As of right now - and I checked yesterday - we had not received one single comment on this NPIM, and we are already halfway through the comment process.

Let me take another step, though, and say that the SDO process, the process within the NCPDP, where the members of NCPDP are looking at the RxHub proprietary formats and trying to turn them into standards, is still ongoing. So I think that is very, very much up in the air, and, in fact, there is a meeting in Phoenix this weekend to kind of duke out some of the potential comments. So I think it is too soon to tell.

DR. COHN: And, Karen, I should comment that many of us in the industry are still trying to deal with responses to the 45-day CFS notice and other such things like that. So, yes, you will get comments three days before they are due, but not that day.

Okay. Well, we want to thank both - Karen, we are obviously delighted to have you take on the role of - liaison to - from CMS to the committee. So welcome.

DR. COHN: Yes. Now, with that - and, obviously, I want to actually thank our new members. It is unusual in our first session to have new members starting to ask questions, and we certainly - I think it speaks well of the new crop. So good.

DR. COHN: Now, what we are going to do now is to turn to a letter for consideration which Mark Rothstein is going to bring forward.

Now, for our new members in this room, and also our old members, it is usually the tradition of the committee that what we do is we do a reading and comment on the first day, then moving to an action the second.

We also, normally, if we are dealing with a letter, we pass it with the ability to make minor wordsmithing changes, because there's always wordsmithing changes.

Now, however, having said that, if a letter really does look pretty good and everybody is generally in agreement, we do typically reserve the right to actually move a letter even on the first day, if there's no disagreement. So we do have some flexibility on that.

So, Mark, I am passing this over to you, and what would you like to do with this letter?

MR. ROTHSTEIN: Any objections? That is what I would like to do with the letter. (Laughter).

The letter is in Tab 3, and I want to just briefly say, for background, this was a letter that arose out of joint hearings between the Subcommittee on Standards and Security and the Subcommittee on Privacy and Confidentiality that were largely the result of John Houston's work. So we need to acknowledge that.

There are a number of places in the letter that, as I have gone through it, minor changes need to be made - adding the Secretary's name, adding some capitalization, subtracting some capitalizations and so forth - that we will add before tomorrow's final version comes through.

Simon, do you suggest that I read the letter for the benefit of the internet listeners?

"As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996, HIPAA, the National Committee on Vital and Health Statistics, NCVHS, monitors the implementation of the Administrative Simplification Provisions of HIPAA, including the Security Standard for Electronic Protected Health Information, Security Rule. The Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in Washington, D.C. on November 19, 2004. The hearings were intended to gather information about the effect of the Security Rule on medical devices.

"At the hearings, we heard testimony from the Veterans Administration, VA, the Food and Drug Administration, FDA, as well as various manufacturers of FDA-regulated software and medical devices. We also received written comments from an individual representing various medical-device-industry groups.

"The witnesses indicated that there are a wide variety of challenges associated with bringing medical devices into compliance with the Security Rule, as well as providing effective security. The witnesses' testimony centered around two main themes:

"1. While most new and currently produced medical devices are capable of complying with the Security Rule, much of the medical equipment in use is no longer manufactured and may not be ungradable by the manufacturer. As a result, it may not be possible to bring these ‘legacy devices' into compliance with the Security Rule.

"2. Many of the medical devices manufactured today contain commercial-off-the-shelf, COTS, software and operating systems. Because of the critical nature of the medical equipment, any updates - including those released by COTS software manufacturers in response to specific security threats - must be tested to ensure that the updates do not adversely affect the operation of the medical device. This testing often delays implementing critical security updates. Further, Manufacturers are concerned that some customers update medical equipment with the latest patches without first verifying whether the update affects the safe operation of the medical device."

It might be my naivete, but I'm wondering if we might have a statement of the current state of what is it that is - what are we fixing? In other words, what is it about medical devices and security? What is the problem

MR. HOUSTON: I think - I mean, it is buried in the second of the main themes that was outlined on page 1, which is - well, first of all, the fact that they have commercial-off-the-shelf software and operating systems embedded in them and that they must be tested to ensure that the updates do not adversely affect the operation of the medical device. I mean, it is buried there. I think maybe we could - If we wanted to, we could push that up into a paragraph.

MR. ROTHSTEIN: Well, I am hearing Justine's question to be at a more general level even. I mean, why is this a HIPAA issue at all and so forth?

DR. CARR: Right. Does a medical device have a patient's name on it somewhere? That is the part I am trying to understand. I mean, I kind of know the answer, but -

MR. HOUSTON: I mean, we can add a paragraph to discuss that. I think it is pretty clear that some medical equipment does, in fact, have patient information, as well as the fact it is - if it resides on a network which is used by other systems that contain patient information, they may be the source of some type of malicious attack or vulnerability, which could then impact that equipment.

DR. CARR: I'm not sure - You know, I guess it depends who the audience is. Maybe the Secretary knows this, but a lot of people don't know of the link of a medical device linking to a particular patient, and I think it would be helpful to state that that linkage is subject to this kind of scrutiny.

MR. ROTHSTEIN: So as I hear the suggestion, what we need to add to the letter is some indication that there is PHI in the medical devices or linked through the medical devices to some other aspect of the medical record in the hospital or other institution, and that is why it is a HIPAA-security issue. Is that your question?

MS. MC CALL: One thing and this is kind of a clarification of some examples. There are devices that are implanted that stream information, and it may not necessarily go straight into an electronic medical record. So it is actually going, perhaps through open channels, and going into some database that is not technically part of what is thought of as a medical record. So that could be another clarification put in.

One is there are devices - all devices, almost, now have both an operating system and software that operates native to the device, and some of them - let's say these smarter devices, smart monitors, actually do have patient information stored in what might be considered the confines of the box.

The other problem is actually, I think, a little bit more concerning, and that is that viruses not only can disable networks and things that you normally associate with computers, they can affect the operation of the software in the device and literally stop the operation of - let's say - a monitor, a ventilator, very important devices. So that is a real challenge. Hopefully, the challenge is more so in the more contemporary devices so that we can update those.

One of my questions would be is there a need for doing a risk analysis of these legacy systems that can't be upgraded? Is the fact that they can't be upgraded also a protection that they aren't infectable (laughter) infectable by a virus, but I don't know the answer to that.

MR. ROTHSTEIN: Well, I do think the recommendations at the end contemplate that assessment of the legacy devices and the way in which they can or should be updated.

DR. COHN: Okay. So we'll hold that thought and see if it gets reflected in the recommendations.

DR. FITZMAURICE: On the last sentence on the first page, "Manufacturers are concerned that some customers update medical equipment with the latest patches without first verifying whether the update affects the safe operation of the medical device."

I was puzzled because if the manufacturers themselves are the source of the patches, then they probably know that -

MR. HOUSTON: Right. There's an imbedded operating system like Microsoft or Windows or something of that sort. Often, the provider will actually take that update and try to install it on the device that is containing that operating system. Maybe we should clarify.

DR. FITZMAURICE: I would clarify it with - like the latest patches from sources other than the manufacturer, and, then, at the end, I would append, in their specific uses, because they can apply it to their device, it could be fine, but somebody uses the device inappropriately, given that update, it becomes that person's or the institution's responsibility, but they would be concerned, then, about the use, not in their own manufacturing operations or the normal use, but somebody else's use. So at the end, I would put, in their specific use, just to clarify that as well.

DR. COHN: I think you guys can wordsmith that offline. Anything else in terms of this first page before we move on?

"One witness representing the VA testified that the Security Rule has been perceived as a barrier to the continued use of certain medical equipment. Where medical equipment needs to be modified to comply with the Security Rule, the providers must often wait for the manufacturer to provide the appropriate updates.

"Another witness representing the FDA stated that the FDA's primary focus is the safe and effective use of medical devices. As such, the FDA does not evaluate security in approving the use of a medical device. The witness further indicated that it is the responsibility of the medical-device manufacturers to design their devices to enable Covered Entities to comply with the Security Rule.

"A number of witnesses recommended that a process be developed to allow manufacturers to post Security Rule information for their medical devices. The witnesses cited an initiative by the Healthcare Information Management and Systems Society, HIMSS, Medical Device Security Workgroup. The workgroup proposed that the industry adopt the use of a ‘Manufacturers Disclosure for Medical Device Security', MDS-2, form. The MDS-2 is a vehicle for Medical Device Manufacturers to report the capabilities of their medical devices consistent with the security rule. While there was no consensus whether the HIMSS MDS-2 form was suitable for use, in concept it appears that this approach would be of great value to providers."

DR. VIGILANTE: So am I to interpret the second paragraph to mean that the - if a device has been approved by the FDA, that changes of this nature do not materially impact what was considered in approving that device?

MR. HOUSTON: Interestingly enough - and I have it up on my screen now - the FDA actually issued some guidance regarding medical devices containing off-the-shelf software, and it just happened at the beginning of February, and it seems to be slightly conflicting, maybe, or at least inconsistent with that testimony, and, interestingly enough, it was also - this guidance was provided by the same person who testified here.

So I am not sure whether - there's - at least indicating that they have an interest in ensuring that providers appropriately secure their medical equipment. So I'm not sure how much of an active role the FDA is going to take in that regard.

MR. ROTHSTEIN: Well, let me suggest that we take a look at that at our subcommittee meeting tomorrow morning and report back the new language that we adopt, and then take whatever credit we want for FDA changing its rule and claim that it came out of our hearing.

DR. VIGILANTE: Yes, I think there is a fair amount of anxiety among manufacturers that if they apply a patch to something that has been previously approved, are they held liable for operating a device that is different in some way than the one that was originally approved, and I think that it is correct that, in most of these cases, that won't be the case, and I think the FDA has criteria against which that modification needs to be assessed. However, one could conceive circumstances in which you would be outside the set of those criteria. So it might be helpful to actually state those criteria, so it's fully understood.

DR. VIGILANTE: I believe FDA has a set of criteria against which any modification would be assessed. I haven't read them in a while, but there's three or four criteria, and as long as you are within the boundaries of those, then you don't expose yourself to liability or - by fundamentally changing the nature of the device as originally approved.

MR. ROTHSTEIN: How about if we take a look at that and incorporate the suggestions from Kevin into this new paragraph that we are going to draft when we look at what the new FDA position is? Is that okay?

MR. HOUSTON: Some of the recommendations might also sort of touch upon this or at least discusses the fact that we think there's guidance that is required, and I think, even in that regard, I think that some of that might already be there by reference point already.

DR. COHN: Well, I'm glad that you've been given some wordsmithing activities here so far, please. (Laughter).

MR. ROTHSTEIN: "Based on the oral and written testimony, NCVHS recommends the following:

Bullet number one, "HHS should provide guidance to covered entities to assist in bringing medical equipment into compliance with the Security Rule."

Bullet two, "HHS should provide clarification regarding the compliance obligations of covered entities with non-compliant and non-ungradable legacy medical devices. A range of options should be considered based on the nature of the equipment, its replacement cost and life expectancy, the security problems, and the possibility of protecting the security of PHI through other means."

Bullet three, "HHS should consider supporting industry efforts to have medical-device manufacturers self report the capability of their medical devices consistent with the Security Rule."

And bullet number four, "HHS should develop guidance to assist medical-device manufacturers to provide medical-device functionality consistent with the Security Rule, as well as address security risks.

I would make one suggestion myself, having gone through this several times, is to reverse the order of bullets four and three, because we deal in bullets one and two with covered entities, and I think that clearly should be first, and then guidance comes after that, even though it is through manufacturers, and then the fourth one, which is now number three, the consider supporting the industry seems to me to be less - sort of farther away from the core mission of what we normally recommend, and that, I think, logically, should be number four.

DR. TANG: Just like the HIPAA privacy rule, one of the main advantages or the benefits might have been it raised the awareness even of providers about their obligations and responsibilities.

In this sense, I am wondering what the awareness is of providers on the potential risk of the security - the disabling of the operation of the device, and I wonder if there could be a bullet really close to the top about addressing that. So although it may be contained in how do they comply with the security rule, maybe we really need to understand the risk assessment of, let's say, viruses or broadcasting of PHI from their device, because I don't know that providers understand that until they have had their first mishap.

I am going to try to get some more details. We had a virus infect our network and disabled communication with the monitors, and I want to get some more details that I might be able to bring tomorrow morning, but it is something that is going to be just living life in the new world.

MR. ROTHSTEIN: Well, the way we could - I think - capture that in a bullet recommendation is to recommend that additional education and outreach efforts be undertaken by the Secretary to inform covered entities of the potential threats to PHI in medical devices. Is that along the lines of what you are suggesting?

DR. TANG: I think so. I suspect there's some in the industry that don't know that their devices can be infected and what its impact is to patient care -

DR. VIGILANTE: So it's more than PHI. I think - but if you can imagine the more integrated your system is the more vulnerable - in the future, when, you know, both your infusion pumps and your monitors and your ventilators are controlled by, say, a central dashboard at the ICU, rather than locally, if something gets infected and they all go down disabled, either by accident or purposefully, it creates vulnerabilities to patient care, which I think have been underappreciated rather substantially.

DR. LUMPKIN: Well, I think that there is a bigger issue which we are kind of mired in because of our perspective on health-information policy, and that is that as medical device is used and have more innate intelligence, they become vulnerable, not only to intentional problems, but, by upgrading, you could, in fact, you know, if the original device was designed such that they used a loophole in the Window's operating system and a patch closes that, that could be a serious complication.

Now, if this were a hip implant and we knew that there were crystalline defects in that and they are liable to break, there would be a recall or something done by the FDA, and I think that probably what should be done, either in a separate communication or sort of as an - saying, this is something the FDA needs to look at.

These things ought to be tracked. They ought to be monitored, and when patches come out that potentially disable them, there ought to be notifications and sent to people who actually own these devices.

DR. COHN: Yes, John Houston, John Paul, and then I think we are going to need to stop for just a second.

MR. HOUSTON: Okay. I think a lot of what we are talking about, the FDA is already attempting - I think they are already attempting to do in this most recent guidance that they have put out.

MR. HOUSTON: I guess my question is is are we recommending something that the FDA is going to look at and say, February 9^th, we put out a guidance document that was really intended to provide - at least start down that road.

DR. COHN: And I'm going to suggest we hold off for just a second. We are moving to a different item now, and then we'll come back and dispose of our comments and figure out what the next steps are.

What we want to do is to shift to a comments from the Assistant Secretary for Planning and Evaluation. Michael O'Grady, we are happy to have you join us and thank you for coming.

DR. O'GRADY: I did just want to take a minute to thank everyone, and, in particular, on behalf of the Secretary and the leadership at HHS, I do want to express the Department's really deep thanks and appreciation to the members of the National Committee on Vital and Health Statistics, and, really, the long and distinguished history of this committee, I just - like I say, I wanted to come here and really thank you for the great work that you have done so far.

We have a couple of members who will be leaving and a few who will be joining, and I just wanted to take a second, and they have - as my friend, Mr. Scanlon, here - this friend Mr. Scanlon, not the new Mr. Scanlon. (Laughter). That's right. Yes, that's right, but we don't call them Scanlon One and Two. (Laughter). We just don't - we don't do that, really.

I did want to take a second. There are some certificates here, as well as an award or - to show the dedication, and I just would like to read the certificates, if you'll bear with me for a second.

From HHS, the Office of the Secretary, the Secretary's Certificate of Appreciation presented to John R. Lumpkin, M.D., M.P.H, for the dedicated leadership, service and major contributions to the advancement of the national health information policy as a member of the National Committee on Vital and Health Statistics from September 1996 to December 2004, and Chairman from September 2000 through December 2004, and as Chairman of the National Health Information Infrastructure Workgroup from June 2000 through December 2004. Dr. Lumpkin, thank you very much. (Applause).

Let's see. I believe - Is Vickie Mays here as well? Oh, well, then maybe I'll read for the people who aren't, and see if she steps back in.

Again, from the Office of the Secretary, the Secretary's Certificate of Appreciation to Jacklyn Lee Adler for dedicated service and major contribution to the advancement of vital and health statistics systems for the U.S. as the committee management specialist for the National Committee on Vital and Health Statistics, February 1985 to February 2005. (Applause).

And to Peggy L. Bartles-Handrich for dedicated service and major contribution to the advancement of population health statistics, and as a member of the National Committee on Vital and Health Statistics, October 2002 through December 2004. Thank you. (Applause).

DR. O'GRADY: That's all right. I just thought if we were going to read the certificate, it would be better if you were here. (Laughter).

From the Office of the Secretary, Secretary's Certificate of Appreciation, Vickie Mays, Ph.D., M.S.P.H., for dedicated service and major contributions to the advancement of population health statistics and as a member of the National Committee on Vital and Health Statistics and Chairman - Chairperson of the Population Subcommittee, October 2001 to December 2004. Thank you very much. (Applause).

And one last one to Eugene L. Lengerich, B.M.D., for the dedicated service, major contribution to the advancement of population health statistics and as a member of the National Committee on Vital and Health Statistics, November 2000 to December 2004. (Applause).

And I do want to point out for you who don't actually have a copy of this, it is actually signed by Michael Leavitt, not a lowly Michael O'Grady. It's a real - main boss is the one who actually signed it.

Jim, have you already introduced the new members at this point or should we do that?

DR. O'GRADY: Okay. All right. Well, I just do want to really thank very much everyone who is finishing up their turn and wanted to really welcome the new members of the committee.

Dr. Bill Scanlon, an esteemed scholar, recently of the General Accounting Office, before that and after that of Georgetown University and any number of different areas. I think you'll find Dr. Scanlon is an excellent member and contribution to this.

Carol McCall from Humana. I have to admit in my checkered career I have had the interesting career of having an awful lot to do with actuaries over the years, for a guy who basically worked on the Hill for much of his career, and Carol is really one of the smartest and most innovative actuaries I have ever come across, and whether she knows it or not, her thoughts and influence can be found in any number of provisions of the new Medicare Prescription Drug Act, in terms of just an innovative way of looking at these very old problems and how to sort of come up with a new way to deal with them.

And Paul Tang. Paul - Hi, Paul. Welcome very much. I'm afraid you and I - this is the first time we have met, but I really want to welcome you very much, and you certainly come very highly recommended, and I'm sure – hopefully, you'll enjoy it, and I am sure that your fellow members should really appreciate your contribution. Thank you very much. (Applause).

Now, probably, we ought to try to finish up that last item and then take a break.

I think what we have heard is a variety of - I think, primarily, wordsmithing with some substantive bullets -

MR. ROTHSTEIN: Well, I think there are several substantive additions that need to be made that John will get on right away. (Laughter).

DR. COHN: Yes. I do want to comment, obviously, the focus for this effort is really going to be the privacy subcommittee meeting tomorrow morning -

DR. COHN: - and I think this is a timely enough letter that we do need to have this completed and up to everybody's satisfaction, though maybe not perfect, but, hopefully, good enough that people will be willing to pass tomorrow, and I also am hoping, obviously - I know John had a reputation, certainly, I have a reputation of having meetings end on time, and so I want to make sure that we have this letter in a shape tomorrow that we can actually go through it and pass it in a relatively speedy fashion, lest I'm going to have to violate my tradition and keep everybody after. So -

MR. ROTHSTEIN: Simon, you'll have it tomorrow. May have some tomato sauce on it, but - (laughter) - you'll have it tomorrow.

DR. COHN: Okay. Well, with that, I think we'll all work on it and provide input, and, obviously, thank you all.

DR. COHN: Okay. Let me just talk for a minute about the work of the next hour and 15 minutes and then what will be happening as we move to after lunch between basically 1:15 and two o'clock.

As you'll see, we have basically two action items coming forward from the Subcommittee on Standards and Security. There is a longer letter on e-prescribing. I think you have the - sort of the final draft on your desk, and then there's a shorter letter, once again, from the subcommittee making comments on the e-prescribing proposed rule that CMS has come out with.

Now, actually, do we have that other letter? The other thing. Okay. So we have both letters.

What we'll be doing is discussing both of them, with potential action coming tomorrow.

Now, I do want to remind everyone that full committee time is - obviously, we try to minimize actual wordsmithing. It is time for important concepts, if we are not expressing the ideas, and I think we did a pretty good job of that with the letter on medical devices.

Obviously, given the length of the first letter, we are not going to start reading all of the background. Otherwise, we will be here many hours into the evening.

MR. HOUSTON: I would like to have it read, please. DR. COHN: Thank you, John. I think I'll pretend I didn't hear you on that one.

But what we will do is to start moving into the observations and recommendations and, obviously, asking all of you who have reviewed the background - I mean, obviously, time permitting, we will go back and take comments on the background, but we would really ask - since the background is primarily factual and sort of sets up the observations and recommendations, if there are specific points in there, we will either take them from you, after we have gone through the observations and recommendations, or off line, as we begin to do further wordsmithing on the letter.

Obviously, as I said, we'll, hopefully, make it to as far as we can on the first letter before the lunch break, finishing up whatever is left afterwards, and then move on to the other letter.

Is everyone okay with that process as we are describing, other than John Paul? (Laughter). Thank you, John.

MR. HOUSTON: Make one other statement, that I am glad that Paul is now on the committee, because we have preserved the ratio of lawyers to physicians - (laughter) - which is a very important.

DR. COHN: Well, with this one, I will hand off the discussions to both Harry Reynolds and Jeff Blair, please.

MR. BLAIR: Okay. Harry and I have kind of worked out a little game plan here, and Simon has, you know, indicated to you, for the most part, our proceeding here.

For those of you who are new, you probably noticed that in September of this last year we provided our initial recommendation on e-prescribing standards, but we didn't have time to be able to cover all that had been set forth in the MMA - MMA being Medicare Prescription-Drug Improvement Modernization Act. So this letter that you have in front of you now is an effort to focus on some challenging areas.

As Simon indicated, we are assuming that, since you received this letter before this last weekend, that you will have had a chance to have read it by now, and, therefore, we will not go through the background section up front. We could come back on that, but we are assuming that you have at least read that through.

So Harry is going to begin with the observations and then the recommendations that address those observations. There's 10 of them.

The first two observations are focused on e-prescribing. They are a pair. The first one winds up having observations that focus on current e-signature issues, electronic-signature issues within electronic prescription networks, and the second one winds up indicating that not all electronic prescriptions will go through e-prescribing networks and that there may be greater security requirements in the future. So they are a pair. So keep that in mind as Harry reads those through to you.

Then, Observations 3 through 9 are really follow-up or monitoring observations based on the recommendations of NCVHS last September.

Then Observation 10 winds up being kind of a joint observation and recommendation that was done with the Privacy Subcommittee on privacy issues related to e-prescribing.

After Harry and we go through the process of going through all of those - we've got about an hour - okay? - then, if there is time left over, then, we could entertain any questions or comments on the background section, and if we don't have that time, then Margret Amatayakul, are you here?

MR. BLAIR: Okay. Then may I ask if you get those additional - you know, especially any wordsmithing or editing, commas, punctuation stuff, please get that to Margret in time for our breakout session at - I guess it's three o'clock today.

MR. REYNOLDS: As I get started, I think it would be appropriate for the Standards Committee to thank Simon for his leadership in putting this together, since this is the morning of thanking everybody for their contributions as they move forward.

Obviously, there must be a problem with the letter or he might have gone ahead and presented it, but - (laughter). So I'm not sure. Sometimes being new chair people is not a good thing to do. So we'll see.

Karen mentioned it was the Academy Awards. I feel like I'm doing a responsive reading of the Federal Register but hang with us. We'll get through this.

Okay. Observation 1, on page 5 of 18. That is the need for coordination between HHS, DEA and state boards of pharmacy to avoid fragmentation of e-signature requirements.

E-prescribing offers great value. E-prescribing networks provide end-to-end security through a series of electronic pass-offs that do not entail any human intervention. The result of e-prescribing has been improvements in patient safety through more complete and accurate prescriptions, direct transmission of prescription to a dispenser where fill status can be monitored and elimination of the need for the dispenser to decipher and transcribe often illegible, handwritten facts or paper prescriptions.

E-prescribing transaction processes can support return receipts sent from dispensers to prescribers that also contribute to identification of potential fraud and abuse should a prescriber receive receipts for prescriptions not written.

Pharmacists are responsible by law for ensuring the authenticity and validity of prescriptions, including e-prescription.

The states and federal government have distinct roles in relation to e-prescribing. The states regulate paper prescriptions for non-controlled substances and are branching out into the regulation of electronic prescriptions for them.

The requirements differ from state to state, which makes it expensive for vendors to vary their products from location to location, and, in some cases, makes it difficult to handle e-prescriptions across state lines.

In addition, some states have restrictions on e-prescribing so that e-prescribing networks do not provide services there.

Let me stop there a moment, so we don't get way too many paragraphs out there before there is comment.

The federal government has a role in e-prescribing through the Drug Enforcement Administration's regulation of prescriptions for controlled substances.

The Controlled Substances Act requires that prescriptions written for Schedule 2 controlled substances can be delivered to a dispenser in original form with a wet signature.

Prescriptions for Schedules 3 through 5 substances may be faxed or communicated orally to the dispenser.

The DEA has not yet made a ruling regarding the requirements for electronic transmission of prescriptions for controlled substances.

E-prescribing network and software vendors expressed strong concerns that the DEA will require a PKI solution for controlled substances that are prescribed electronically. This could take the form of requiring PKI use for only Schedule 2 substances or PKI use for all controlled substances. Either way, the industry expressed concerns that this would create a significant cost burden, which would serve as a barrier to e-prescribing adoption and use.

In addition, the e-prescribing industry testified that the marketplace was not yet ready for widespread PKI use. As a result, if PKI were required for e-prescriptions for controlled substances, the near-term response would be for the industry to continue its current practices which is paper based. This, in turn, would slow down e-prescribing adoption and use, create a two- or three-tiered system for e-prescriptions for controlled and non-controlled that would be expensive and burdensome to implement, and, in the end, deny patients the safety and quality-of-care benefits afforded by e-prescribing.

Finally, the e-prescribing industry strongly believes that PKI is not necessary, as current methods are adequate for ensuring prescriber authentication and accuracy and validity of prescription contents.

It is clear that e-prescribing networks provide more security than traditional fax - traditional paper, fax or phone, which are prone to abuse, given today's copier, fax and telephonic technology.

E-prescribing transactions for non-controlled and Schedule 3 through 5 controlled substances currently are conducted in compliance with HIPAA security regulations and include dispenser validation through callback to the prescriber for prescriptions written for Schedule 3 through 5 controlled substances.

Today's e-prescribing networks use several important security features, including credentialing prescribers and dispensers, trading-partner agreements to grant access to the networks, and protocols to secure transmission and provide authentication and integrity to the electronic prescriptions. Testimony indicated that there is no evidence that these security measures have been inadequate to secure electronic prescriptions.

Recommended Action 1.1. HHS, DEA and the state boards of pharmacy should recognize the current e-prescribing network practices that are in compliance with HIPAA security and authentication requirements as the basis for securing electronic prescriptions.

These security practices are discussed in the background and illustrated in Appendix A. In addition, these practices are applied in conjunction with the dispenser's responsibility to use their professional judgment in determining the validity of prescriptions.

Different requirements may be needed for transmission of electronic prescriptions that do not go through such networks.

Recommended Action 1.2. HHS and DOJ should work together to reconcile different agency mission requirements in a manner that will address DEA needs for adequate security of prescriptions for all controlled substances without seriously impairing the growth of e-prescribing in support of patient safety as mandated by MMA.

MR. ROTHSTEIN: I have a question in the wording of Recommended Action 1.1. I am trying to focus on what the event is that we want as a result of this, and you say HHS, DEA should recognize the current e-prescribing networks that are in compliance. What do you mean by recognize? Certify? Develop standards or notify?

MR. BLAIR: Yes, actually, if you read a little more in the sentence, it is really recognizing that the e-prescribing networks - and I don't have it in front of me, so I can't have the exact wording - that are in compliance with HIPAA security and authentication requirements form the basis for e-signatures for e-prescribing over current e-prescribing networks. So it's - we have bounded it. We basically wound up saying that if a prescription - an electronic prescription - is being sent over those networks and they comply with the security - the HIPAA security requirements that are there that HHS accept that that is the basic level, the foundation level and that that is sufficient and adequate at this time.

And then recommendation. When Harry reads Observation 2, it is going to wind up saying what if they are not over an e-prescribing network or what if we determine that there's more demanding requirements in the future - and I won't get ahead of - you know, but that is going to be a different case.

MR. ROTHSTEIN: Well, that is a fine rationale, and I am not questioning that. I just - I don't know what should recognize mean -

MR. BLAIR: May I say one other piece here, because while Harry was reading through the observation which explained why we came up with this, I think you were in a conversation at that time. You may not have heard the observation.

MR. BLAIR: So let me give the premise for why we would make such a recommendation. It is an unusual recommendation. You are right, Mark. It is - we don't make very many recommendations like this, and it was basically that we received testimony from the industry that said that even though the security procedures that they have in place and authentication procedures they have in place may not be using the most advanced security technologies, it appears as if what is being done today - there is no evidence that what is appearing being used today is inadequate, and the other pieces are that if they were to use the most advanced technologies, it would be very disruptive and delay the use of e-prescribing and leave a lot of folks back in the paper mode, and so you might say this is sort of an acceptance of reality. So, therefore, Recommendation 1 says, HHS should accept this as the basis.

I think, Mark, your question seems to revolve around the word, recognize, and we had a lot of struggle about what word to put in there, and one of our big problems in this area was normally the committee sends a recommendation to the Secretary and we can say we recommend that HHS does -

DR. STEINDEL: Well, in the e-prescribing world, HHS is just one player. There is also the Department of Justice through the DEA and the State Boards of Pharmacy. So they are all involved in the e-prescribing process and all have to agree that the e-signature process is acceptable, and we struggled with what word to use. We can't say that HHS should put out regulations in this area or anything like that, because, really, they are not the only player. So we used a word that would convey the acceptance of the process, but not be prescriptive on how to do it. Does that clarify why that word was chosen?

MR. ROTHSTEIN: Yes, I just think - I understand all that and I have no expertise in this. I just think how we phrase what the recommendations are is very important, especially in a big, long document, the very first one out of the box you read and go, What's that all about? But, I mean, I accept that.

DR. COHN: But I think you are also asking whether it recognizes the right verb -

MS. MC CALL: Or even to clarify, to say, recognized by accepting as a possible standard as sufficient, recognizing that it may not be setting a standard.

MR. BLAIR: Well, if we go to solution or as a standard, that was more definitive than we felt comfortable with.

We wound up saying, as a basis, as a foundation, because there is not enough information to know whether this is really adequate.

We had industry testimony that seemed to say there is no problem with it yet, and that is why I indicated that this Observation and Observation 2 are a pair, and this is basically saying that they should recognize current practices as a basis, and, then, when we go on to Observation 2, it is going to wind up saying, when we start to look further, then, more research needs to be done.

MR. REYNOLDS: I would add one other thing, that there's really - the structure that we heard is that there is multi- - and we heard from NIST and everybody else about what is good authentication and security.

We feel that we heard clearly from the industry that they have multilevel authentication and security, and, further, pharmacists are responsible for the authenticity of the actual prescription. As we listened to the testimony on the paper versions, now, where doctors sign all the slips already and then somebody else fills it out and the other things, there is plenty of down sides to now.

So when you get into the security world, we heard clearly that there is no single standard - back to your point, Carol. There is no standard out there. Different than NCPDP, which they handed to us, and these other things that are going on. So you are into different levels of security, multi-tier authentication and other things. So that is why we recognized that we would send it over this way, and then, as the pilots go on and as further discussion, and you'll see an Observation 2 goes on, exactly what that needs to be, because PKI, as we heard it, was really - didn't look like an ultimate answer at the time, and there was no standard that you could just pluck out like we did NCPDP and some of the other things, and so we talked about the multi-tiered and we talked about - you'll hear us say in here, a number of times, that the dispenser is responsible, in the end, in all states, for the authenticity of the actual prescription. So most of them have set up the network all the way back to the prescriber. So that is why we termed that exactly like we did.

DR. LUMPKIN: From my years as a regulator, one of the things that states don't want the federal government to do is to tell them what the standard is, but they do appreciate it when the federal government identifies what could be a standard, and so, actually, I think the word, recognize works if you were to change the - in line 43, to say authentication requirements, as a basis for securing electronic prescription. So we are giving guidance to them. They can accept this. They can also accept another standard that they would consider to equivalent, generally, something home grown, but I think this may deal with the regulatory environment that we are trying to sort of stick our foot into.

DR. COHN: Well, that is certainly right minimalistic. Thank you, John. (Laughter).

MR. BLAIR: Can we say something to the Secretary where you could stay on, John? (Laughter).

Compliance with HIPAA security and authentication requirements is still quite open-ended, because it is mainly addressable, and I am not sure the comparison with paper is as relevant as we would like to think. One, of course, if paper was so bad, I'm not sure we want to just be a little bit less so bad, but the other is the pharmacist. All humans are quite capable of making judgments on the written signature, which was the standard, or the tone of the voice order over the telephone. There are ways you can detect - you assess authenticity. Do they have any of the wherewithal to assess authenticity when they are just basically getting an electronically-transmitted message from - let me just hypothesize - a provider that uses a password - a generic password for the entire office - is that good enough?

So in John's thought - and I certainly am not for over-regulation either - but could there be a floor, in terms of what is the authenticity required for this application? Even passwords alone - having a password rule alone could be a step in the right direction, although, we, of course, can't stop the shared pathway, for example, but to think that anything that goes - that any provider office, which is how - you know - the superior role is written, could go, assuming they decide the risk is appropriate, is that good enough for, let's say, a controlled substance? I just have that question. It is not the same as looking in the signature. We don't have the same equipment. We don't have the same -

DR. HUFF: The discussions we had on this were - one is what we are really trying to say here is they have ultimately the responsibility, and, in fact, what our discussion was is that what we would hope is that, given the principles, they would accept that - basically, they would accept the design of the system as, in fact, secure, so that they didn't have an individual responsibility to try and determine each one that came in was there.

Now, the other thing that - just to address - we had also testimony that said, yes, one out of 100 times I might catch, in the paper world, an error, but, in fact, because of how chain pharmacies have happened, and the growth of - we don't know anymore what a physician's signature looks like, and, you know, it is very, very rare that we can authenticate, based on paper or on the signature or on anything else, and so, you know, we do feel this is better.

Now, the other thing is that - as you point out - we recognize that people share passwords. I mean, you know, we give out secure ID cards, and then you go visit the office and there it is on a chain by the computer, so that anybody - you know, so it is handy for people to - and so, in spite of recognizing that happens, we still hold the person legally responsible who had that. So whether it is a valid prescription or not, we are going to hold that person responsible because they signed documents that said that they would be responsible, in spite of the fact that they are now sharing their password and doing other things.

And then, finally, we intentionally didn't want to be prescriptive here, in terms of technology. In fact, we felt like, because technology is moving and we didn't want to try and designate a particular technology - and especially not a particular vendor that had to be used in this environment - we tried to leave it, in fact, according to the spirit of what was being done in HIPAA, so that these things could change over time, as long as they were meeting the standard that, in fact, people were authenticated.

DR. COHN: Yes, and it is a difficult issue, and we actually struggled - I mean, I think Stan is right, I mean, that there was a lot of struggle about how prescriptive to not, and, at the end of the day, we have to reflect back, as we get into these areas.

You know, HIPAA actually did talk about an electronic-signature standard, and that was never acted on, because nobody could quite get their arms around it, and the security rule is really an evaluation standard. It isn't a standard like anything else we see. I mean, it says, do a risk analysis and use your best judgment based on that. It is really - with various addressable aspects, and we sort of, at the end of the day, had to sort of come back to something that was a little less specific, as much as we would all like to really pin it down, I think, such as you are describing. I think I am reflecting the views of the subcommittee on that.

MR. REYNOLDS: Yes, and I think another thing we heard is there could be as many as five to six hand-offs from the original doctor submission, and that there are checkpoints, and that there are multi-level - as I said - authentications, and then it goes to the hub, and the hub has authentication and they assure the pharmacist that anybody they sign up that is coming through has these things in place. So there is an industry out there that self-enforces its hand-offs, and that has to be to the satisfaction of the dispenser or they don't get signed up. The dispenser, in the end, is still in the whole chain and knows where those things are coming from and whether or not - because it usually comes through - the last step before the dispenser is their switch that they have signed up with. So that is the other thing I think we heard from the industry and felt comfortable that that had been addressed, but, obviously, it is the most imprecise of our recommendations on what should be done, because it is a questionable area.

And I don't know that we are solving everything, but, hopefully - at least, I see people nodding their heads. Hopefully, we are - we have obviously made one change, a the to an a - (laughter) - which actually was very helpful, John. Thank you. That only took 10 minutes, but we do appreciate that.

I guess I should also comment that one of the other pieces we saw that are probably almost more important than anything else and which we really haven't commented, because it is so obvious, is this idea that, Geez, we have HHS and DEA, and if we don't get them working together, we are in real trouble, and I think we were sort of struggling with this, and that becomes a very important concept that we are trying to bring forward. We don't want a world where everybody can do everything for 85 percent of their prescriptions, and, then, for 15 percent, so much of a hassle they dropped a paper, and so we don't have any of the benefits of e-prescribing for any of the narcotics being prescribed or controlled substances, and we thought that that was a very important concept that needed to be sort of brought forward and I think is well expressed here.

MR. SCANLON: The other message here is that - I guess I am reading between the lines - you are recommending against the - what sketches we had of the DEA proposal that involved PKI plus biometrics plus - it is sort of an in-between-the-lines -

MR. BLAIR: Could we not make a comment on that? MR. SCANLON: Sure. Between the lines.

MR. BLAIR: And, actually, when you go to our Observation 2, I think Observation 2, in some ways, they clarify the missing pieces that we didn't address in Observation 1.

MR. REYNOLDS: Observation 2, the need for research to address future security risks.

Because there may be a greater need to send prescriptions over the open internet in the future or for enhanced security of prescriptions for Schedule 2 controlled substances, there may be an increased demand for improved authentication, message integrity and non-repudiation services.

Although PKI and other forms of digital signature are available, testimony indicated that, currently, these technologies are costly and impair interoperability for e-prescribing functions. Therefore, it is important to plan for evaluating feasibility of PKI and other forms of digital signature for use in e-prescribing as these technologies mature.

Reference information regarding electronic signature, digital signature and PKI are available from ASTM International and ISO.

Recommendation 2.1. HHS should evaluate emerging technology, such as biometrics, digital signature and PKI for higher assurance authentication, message integrity and non-repudiation in a research agenda for e-prescribing and all other aspects of health information technology.

Reason we pointed out the open internet is much of what we had heard already was through sometimes VPNs and other protected networks, some of the stuff that is going on right now. So that is why we moved to this next level of - so when it really becomes more open, then what else might need to happen?

MR. HOUSTON: I have a question. I faintly recollect, remember the discussion about e-signature as part of the proposed - was it a security rule? There was e-signature standards. Was it -

DR. COHN: It was, I think, in a proposed rule. There was some discussion about e-signature, and then it was pulled for the final rule.

MR. HOUSTON: Right. Right. How much of that overlaps - what was in the proposed rule actually overlaps this recommendation?

MR. BLAIR: Well, actually, that is a very good question because this is, apparently, the second time NCVHS and HHS have gone through the process of struggling to come up with standards for e-signatures, and you can see by these recommendations that the answers are still not crystal clear.

What helped us this second time around was that there was some experience with e-signatures within e-prescribing networks that had a certain amount of security, and that is what enabled us to make recommendation - the Observation 1. Okay?

MR. BLAIR: But the answer was not complete and definitive, and there is not a definitive standard. So that is why we wound up having Observation 2.

MR. HOUSTON: Well, I guess I'm just wondering whether there should be a renewed discussion about proposed rule - e-signature standards and the proposed rule, because, I mean, I remember they did deal with - integrity and non-repudiation and things like that, because - just what they are, and is it worthwhile - Is this sufficient or should we be looking at maybe trying to see if somebody wants to dust off those standards, since they were - there was a lot of thought and effort put into them at one point -

MR. SCANLON: There doesn't seem to be a consensus in the industry on such a standard.

DR. COHN: John Paul, I actually am hearing what you are saying and I am sympathetic. I mean, your general comment is should we relook at this whole thing in a more - perhaps a more global fashion? This is a specific-use case.

DR. COHN: Obviously, we've got the NHII coming forward and all of that. I would remember that not only has the federal government tried this a couple of times, we actually held hearings a couple of years ago, also, independently, trying to get things going again, and I think it's - really, it is going to be very much use-case driven.

DR. COHN: I think as we move forward with the NHII, I think it is going to have to be a question - In the same way that as we identify everything, the question is is how secure are we identifying whatever person or place we are dealing with within this new world.

So, I mean, I know that it is really part of this letter, but it may be part of our work plan going forward.

DR. STEINDEL: Simon, I do want to point out in this recommendation we somewhat allude to that we want HHS to broaden the agenda of what they are looking at with e-signature with our closing remarks on all other aspects of health information technology. So we do realize that this is not just limited to e-prescribing, that it will have impact outside of e-prescribing.

DR. COHN: Well said. Now, before we - I mean, we are sort - I mean, this is really the two recommendations that deal with e-signature. Are we comfortable with them? I'm actually sort of looking at Carol McCall, who, in our conversations, has had a lot of pharmacy experience, as well as sort of the world of electronic signature and all of that. Are you comfortable? Are others comfortable with what we have done so far?

DR. COHN: Yes, and I would apologize. The Subcommittee on Standards and Security has worked on this so much, we have a hard time sometimes seeing the words. You know, when you get to the fifth, sixth, seventh version of a letter, it is sometimes hard to see them quite as well as people who are freshly looking at the letter.

MR. REYNOLDS: Okay. Moving into the section on observations and recommendations relative to progress on NCVHS recommendations from the September 2004 letter.

Observation 3. Formulary and benefit coverage message standard. NCVHS has monitored the progress of NCPDP as it develops the formulary and benefit coverage message standard in accordance with NCVHS recommendations from September 2004.

NCPDP has reported that a formulary and benefit message standard will be submitted for approval to NCPDP at its March 2005 workgroup meeting, and pending the balloting process, approval to NCPDP - oh, the NCPDP Board of Trustees could approve the standard as early as spring 2005.

The formulary and benefit message standard includes formulary status lists, formulary alternatives lists, benefit coverage lists, benefit copay lists and cross-reference file, user-recognizable health plan product name who identifiers use for the formulary, alternative coverage and copay lists.

Recommended Action 3.1. NCVHS will continue to monitor the progress of the development of the NCPDP formulary and benefit coverage message standard and will report any further recommendations to HHS based upon this progress.

I would like to make one comment on this one. The industry - throughout our hearings, the industry truly has stepped up, and where there was an opportunity for a standards organization to grab something and move it quickly, I think by just seeing this you can see that it is a different method than some of the standards situations before that have taken years. They have stepped up and latched onto these things quite quickly.

MR. BLAIR: Harry, let me add one other aspect to this, because our recommendation simply said that we would monitor progress. There is something that it is silent about, and the thing that it is silent about is what we will do after it is balloted. Okay? And it is - you know, it is our hope that it'll be balloted and will wind up being satisfied where we could make further recommendations.

Keep in mind that there's two paths that we are looking at, whether we recommend something as a foundation standard or whether we recommend something that has to be included in the pilot test beginning January 1, 2006. So the silence there is because we don't know what path that'll take.

MR. REYNOLDS: Observation 4. Medication history messages from payer/PBM to prescriber.

As noted in the NCVHS recommendation letter of September 2, 2004, NCVHS has monitored the progress of NCPDP as it develops medication history message standards.

NCPDP has reported that a standard for medication history messaging was submitted to the NCPDP and is currently being balloted. Pending the balloting process, the NCPDP Board of Trustees could approve the standard as early as late spring 2005.

Recommendation 4.1. NCVHS will continue to monitor the progress of the development of the NCPDP medication history message standards and report any further recommendations to HHS, based upon this progress, and I think our comments a minute ago bear out for this one as it did the previous one.

Observation 5. NCPDP fill status notification standard. The industry does not have adequate experience with the NCPDP SCRIPT fill status notification standard to make it a foundation standard for e-prescribing.

NCPDP has developed guidance on implementation and operational matters relative to consistent utilization by prescribers and dispensers for the fill status notification transactions.

NCPDP expects that Board of Trustee approval for this guidance will be provided in April or May of 2005.

Recommended Action 5.1. HHS should include the fill status notification function of the NCPDP SCRIPT standard in the 2006 pilot tests consistent with NCVHS recommendations of September 2, 2004.

Observation 6. Structured and codified sig. NCPDP is facilitating the gathering of data, defining scope and management and drafting operation assumptions relative to structured and codified sigs, patient instructions. It is working with Health Level 7 to draft implementation guides and refine data elements and code sets.

NCPDP expects to release a proposed standard for coding and testing a structured and codified sig in summer 2005.

NCVHS further notes that standard units of measure identified as a topic for further consideration in the September 2, 2004, letter is included in the work of NCPDP and HL7 as they define the structured and codified sig.

Recommendation 6.1. HHS should include evaluation of structured and codified sigs in the 2006 pilot tests consistent with NCVHS recommendations of September 2, 2004.

MR. REYNOLDS: Well - I just wanted to make sure. I've never seen it go that well.

DR. STEINWACHS: Just a quick one. I missed somewhere, S-I-G stands for - you have patient instructions, but I couldn't get that from S-I-G, in my mind.

DR. FITZMAURICE: - for signatura, and then that is defined as the instructions a doctor gives to the patient.

DR. STEINWACHS: Okay. Thank you. Always good to get an education. That's why I come here.

DR. STEINWACHS: Oh, thank you. Thank you. MR. REYNOLDS: Yes, this is follow on to that.

So Observation 7, clinical drug terminology, drug labeling, drug listing and standard codes for orderable items.

NCVHS heard testimony from NLM that several issues are being addressed with respect to RxNorm. These include maintenance of RxNorm outside of the UMLS environment, elimination of code changes, development of specific ways to handle obsolete drugs and frequency of updates, and enhancing and stabilizing staff support, including liaison to standards development organizations.

NLM is adding NDC codes to RxNorm as they become available from FDA and starting to link brand names to NDC codes, although, completing this will depend on availability of information from FDA.

NLM is also planning to include in RxNorm consistent names for orderable items associated with medications, such as test strips or oral contraceptive dispensers. They are starting with coverage for items that are reimbursable under Medicare Part D.

Structured product labels, SPLs, will provide the ingredients and other information needed for the NLM to create RxNorm codes and map them to NDC.

All of this information will support the ability of NLM to produce the Daily Med, which is intended to keep the industry current with respect to new drugs.

NLM expects to start receiving SPLs from the FDA later this year as soon as the FDA's drug-listing rule is promulgated.

NLM indicated that the FDA estimates that full implementation of the drug-listing rule will take several years to complete.

Recommendation 7.1. HHS should include evaluation of RxNorm in the e-prescribing pilots. The pilots should evaluate the use of RxNorm codes as the primary identifiers of orderable drugs and prescription messages. This would assess how well the RxNorm codes can capture the intent of the prescriber and whether a dispenser can accurately fill the prescription based on the RxNorm code.

RxNorm should also be evaluated for use where a proprietary code is used for the orderable drug and the RxNorm code is included in the message to provide interoperability with other proprietary coding systems from drug-knowledge data bases.

Recommendation 7.2. HHS should take immediate steps to accelerate the promulgation and implementation of FDA's drug listing rule in order to make the inclusion of RxNorm in the 2006 pilot test as comprehensive as possible. This is necessary to achieve the patient safety objectives of MMA.

DR. CARR: I might suggest a glossary of abbreviations - (laughter) - in addition to the glossary of terms; and, also, I guess RxNorm was identified in the September thing, but is RxNorm defined anywhere? I couldn't find it in the earlier -

DR. COHN: Yes, I think that is a good point. We actually have a glossary of terms in Appendix C, but it sounds like we need to add a couple of things to it, and I think our Margret is nodding her head in the back. So, I mean, some of these were defined in the first letter, but I think we need them forwarded to the second letter.

Now, the other thing I was going to say is - there are probably a couple of technical changes we'll be making to this part.

As with anything that we make changes to going forward with the subcommittee, what we'll be doing is usually mark up on Word. So, tomorrow, when you see the letter, it'll be very obvious to everybody any wordsmithing or other changes that had been made as a result of these conversations.

NCPDP reported that an industry task group is drafting flows of the medication prior authorization process and identifying where standards exist and where there are gaps. It has identified that attachments being developed for claims may be leveraged and added to in order to be used for prior authorization.

NCPDP will coordinate with HL7 if there is a need to support an attachment booklet for the purpose of medication prior-authorization attachments. NCPDP indicates that additional research is taking place on structuring prior authorization messages.

Recommended Action 8.1. HHS should support the standards development organizations - NCPDP, HL7, NASC, X-12 - in their efforts to incorporate functionality for real-time, prior-authorization messages for medications in the ASC X-12, N-278 health-care services review standard, and the ASC X-12-N, 275 claims attachment standard.

Recommendation 8.2. HHS should include the evaluation of the interaction of standards related to the flow of prior authorization in the 2006 e-prescribing pilot test.

Observation 9. Coordination of prescription message standards. E-prescribing NPRMs solicited comments on whether Part D plans should be required to use the standards for e-prescribing transactions within a closed enterprise; e.g., staff model HMO.

HL7 is commonly used to communicate medication orders within a hospital and with clinical pharmacies within an enterprise. As indicated in its recommendations of September 2, 2004, NCVHS believes that coordination of HL7 with NCPDP SCRIPT would create more seamless functionality across healthcare environments. This would remove a barrier of adoption of electronic medication ordering and prescribing. HL7 and NCPDP have already begun to map their standards that support common functions.

Recommended Action 9.1. HHS should recognize the exchange of prescription messages within the same enterprise as outside the scope of MMA e-prescribing standards specifications.

Recommended Action 9.2. HHS should require that any prescriber that uses an HL7 message within an enterprise convert it to NCPDP SCRIPT if the message is being transmitted through a dispenser outside of the enterprise.

HHS also should require that any retail pharmacy within an enterprise be able to receive prescription transmittals via NCPCP SCRIPT from outside the enterprise.

Recommended Action 9.3. HHS should financially support the acceleration of coordination activities between HL7 and NCPDP for electronic medication ordering and prescribing.

HHS should also support ongoing maintenance of the HL7 and NCPDP SCRIPT coordination.

DR. COHN: Okay. I want to stop for just a second, because we are now going to move back into a - really, a new recommendation. These last ones have really been sort of follow up of previous recommendations, but I just wanted to stop. Is everybody sort of comfortable with where we have gone so far?

Okay. The next one, as I said, was done on the basis of hearings by the Subcommittee on Privacy and Confidentiality and incorporated into the letter. So please.

NCVHS Subcommittee on Privacy and Confidentiality held a hearing on privacy issues related to e-prescribing on November 18, 2004. The subcommittee heard testimony from industry experts and consumers.

In general, witnesses noted that e-prescribing regulations will require patient education regarding their rights, patient access to privacy and security policies and consumer-friendly communications.

Privacy guidance for e-prescribing is provided through applicable state and federal laws and regulations. For example, it is not clear whether state laws restricting certain electronic health record communications - e.g., related to HIV status - without express consent would be preempted by MMA.

Similarly, the federal confidentiality of alcohol and drug abuse patient records regulations require express consent for the use and disclosure of alcohol and drug-abuse patient records that are maintained in connection with the performance of any federally-assisted alcohol and drug-abuse program. Any e-prescribing regulations must consider these other health records laws.

The main privacy issue that needs to be resolved in an e-prescribing regulation is what rights consumers should have to limit access to their prescription records, especially for medications related to sensitive health matters, such as mental health, substance abuse and HIV AIDS.

The same issue of balancing the privacy interest in consumer control with the interests of healthcare quality and efficiency is central to the National Health Information Network, the NHIN.

NCVHS will be holding a series of hearings on privacy and confidentiality under the NHIN beginning in February 2005.

Recommended Action 10.1. HHS should identify and evaluate any privacy issues within the context of the HIPAA privacy rule and health records laws that arise during the 2006 pilot tests of e-prescribing.

Special attention should be placed on issues regarding individuals' rights to request restrictions on access to their prescription records.

Recommended Action 10.2. HHS should use experience gained from the e-prescribing pilot test to develop appropriate actions for handling privacy issues.

MS. MC CALL: Yes. Were there discussions about linking recommendations for Observation 10 back to recommendations for Observation 4, which has to do with medication history messages?

I know that these are to the prescriber, and these are from the payer PBM. So both of them are recommended to go to pilot. Could you talk about having a specific recommendation about making sure that those are linked?

If I am a prescriber, for example, and we are going to pilot the sending of medication history, say of John Paul to me -

MS. MC CALL: I know it, because, you know, there's a lot of stuff he doesn't want me to know.

MR. BLAIR: And, actually, you kind of set me up for the comment I was about to me.

We were - we did have a fair amount of comments when we were looking at the provision of medication history messages.

One of the observations that we sort of wanted to connect to 10 was the fact that we learned that PBMs were filtering some of the sensitive information, such as medications that might be taken to address HIV, behavioral health, sexually-transmitted disease. They were literally filtering that out of the medication history that's sent to prescribers, and, therefore, the prescribers would not be receiving all of the medications that the patient was receiving, and we also heard that they did this based on advise by their attorneys to be concerned with the privacy issues. Of course, the consequence in terms of patient safety was not there, but they were getting advice that the patient had the responsibility to advise the prescriber. So there is a link.

Now, we happen to have articulated these separately, and one of the things that I wanted to suggest was that in the last paragraph of - maybe I won't make my suggestion quite yet, since I responded to your question - very perceptive question. Did that address it or did you have further questions or is there some other suggestion you wanted to make?

MR. BLAIR: Yes, and it kind of leads to the thing that I was about to suggest, and I lost track, Harry, when you read it. I think when I read the document earlier, I thought there was, in the observation, one of the last few sentences referred to - had the word quality in it, but didn't have the word patient safety. Are you all able to see where that is?

MR. REYNOLDS: Yes, the sentence starts or the sentence you are talking about, the same issue of balancing the privacy interest in consumer control with the interest of healthcare quality and efficiency is central to the NHIN.

MR. BLAIR: May I offer a suggestion that just before the word quality we insert the words patient safety, so it's patient safety and quality, so that that patient safety issue doesn't get overlooked?

MR. REYNOLDS: The other thing to play off of your question, in Observation 10, it is a - we recommend that it be part of the pilot, and in Observation 4, we are still awaiting NCPDP to see if they can even set up the standard. At such time as they create the standard, I think your comment is excellent. I think that if - at such point we consider recommending this to be part of the pilot or part of the standards, that it be tightly coupled with how it effects what is already there. That might be a way to approach it.

DR. COHN: It sounds like we have caught the issue and it sounds like the answer is maybe the next letter, which will probably be with some of those other pieces. Does that make sense to you?

MR. REYNOLDS: We didn't plan to read that other long list of - that is just really a report of individual things that we had considered. I thought we were just going to focus on the -

DR. COHN: Yes, I think we have a couple of minutes, and I guess what I would suggest is that maybe we go through - I mean, there's probably a - under the Other Standards and Important Related Items, probably the bullet that relates to clinical decision support might be worthy of reading, and then I want to - I mean, not completely ignore John Paul's comment about walking through the background, because I think it actually is a good comment, though, with your permission, we are not going to read the whole background.

DR. COHN: I assume that is okay with everyone. Because I think that is - Otherwise, most of these things are, well, looked at that or we are going to talk about it or whatever.

The report on clinical decision support for e-prescribing prepared by the joint clinical decision support workgroup, authored by Taish(?) et al, identifies benefits of clinical decision support, barriers to widespread adoption of clinical decision support, basic and advanced clinical decision support features and elements that might be required over time, structure standards and other enablers required for clinical decision support in e-prescribing and incentives to accelerate the adoption of clinical decision support in e-prescribing.

NCVHS notes that the report has several observations and recommendations that compliment those included in the NCVHS letter of September 2, 2004, especially with respect to the use of RxNorm to support clinical decision making in e-prescribing.

DR. STEINDEL: Simon, we probably should put a reference as to where people could download the report.

MR. HUNGATE: One other comment. Thank you for that suggestion, Steve, because I was needing that.

Some place back in here, and I haven't found the reference, it refers to - here it is - drug knowledge - It refers to drug-knowledge basis, line 10 on page 9.

I assume that that relates to the decision to support structure, and as I saw the drug knowledge basis, I felt I wanted to know a little more about what was really being referred to there, because I think it does relate to the decision support, and so I wasn't sure whether more elucidation of what that was would be helpful.

DR. WARREN: Would it help, Robert, if we listed the companies that provide these databases? I mean -

MR. HUNGATE: Maybe. I'm not sure. There was a question in my mind as I saw that, and it is reinforced by seeing this section. So -

MR. BLAIR: We had them testify and they were covered in - that whole subject was covered in great detail in the first recommendation letter, but, nevertheless, I think that what you are suggesting is that - did you want it as a footnote or in the appendix or -

MR. HUNGATE: I'm not sure. It just struck me that there must be some linkage between these and making it clearer might help the understanding.

DR. COHN: Hum. Sort of - to figure out how we do that. I mean, kind of looking - Steve, did you have a comment on -

DR. STEINDEL: I think Bob is not asking a simple - a question that has a simple solution, and probably would be best to report back to the committee tomorrow and discuss it at the subcommittee level.

MR. REYNOLDS: Did you want to go back and walk through the background, just to kind of highlight the categories?

DR. COHN: Yes, the comments about this so far? Okay. Yes, why don't we just sort of walk -

DR. STEINWACHS: One of the things that always concerns me is what kind of information is available for patients about their medications, and I don't know whether this comes into the committee's - when you talk about the drug knowledge bases, though they are usually for clinicians, not for the patient side of this, and even such things - simple things as how would you determine whether or not the prescription was on label or off label if you were a patient, and so it would be helpful to me if the committee could look at the patient side of the knowledge, and it is not decision support, then, but it is information that patients could access so they would better understand what the drugs are they are being prescribed.

DR. WARREN: I just want to clarify I understand what you are asking of us. (Laughter).

DR. WARREN: When we heard these companies testify, most of them do provide patient-oriented material, but that material is only accessed through the prescriber, so the prescriber has the material, can then dispense it out to the patient, but you are asking more than that about patient access to these knowledge bases, right?

DR. STEINWACHS: Or the suitability of the knowledge bases for the patients to be able to use, you know, because when you talk about the knowledge bases here, I think there is a presumption that they may only be useful to a clinician, and it seems to me the system that we are building out there ought to have knowledge resources or we ought to be able to talk to whether there are knowledge resources and how patients could access those so they could get some understanding, in case the prescriber doesn't give them the information, in case - have symptoms 24 hours later and no one to talk to and are trying to figure out, Well, do I go to the emergency room or do I wait ‘til tomorrow morning?

DR. COHN: Yes, Don, I actually hear your issue, which I think is a very legitimate one. Clearly, the drug knowledge bases that currently exist are primarily there for pharmacists and some physicians who have access to it, but they really - (laughter). Well, no, I mean, most of these drug-knowledge bases are really developed for the pharmacist at the point of dispensing.

Now, the issue you are bringing up is, I think, a very important one. I am sort of thinking, though, as I am listening, that this is really an aspect of the - sort of the personal-health dimension of the NHII; and I am sort of very thankful that Mary Jo Deering just walked in -

DR. COHN: - who is the key staff for that - to that subcommittee, to that workgroup, and maybe it is something that we should explore in some of those hearings, because, clearly, the words that come out for the pharmacist - and I think Paul knows what I am talking about - it doesn't exactly - you know, it's like reading the PDR if you are a patient, which, yes, you can do it, but not easily.

DR. STEINDEL: Well, I would just like to point out, we mentioned the FDA's work with the Daily Med, and, really, the Daily Med is supposed to provide this information to the American public, be it individuals, companies, et cetera, and I think the vision of the FDA is is when the Daily Med system goes into regular use it will be fulfilling the need that you are talking about here, one of the vehicles. I mean, private sector can do it as well, but that is one of the goals of the Daily Med.

MR. HUNGATE: Comment. Observation. That is right for FDA-approved uses. For off-label uses, it is a pretty big hole in which there is a lot of lacking information, and it is not clear to me where that is going to come from, nor how it is going to get filled.

DR. COHN: I think - with the permission of the full committee, I think that this is an area I think way beyond the scope of the letter, but I think it is an important part of the work plan for the NCVHS, and probably - knowing that we are holding hearings, really, on the personal health dimension, I think that this issue of - I mean, it isn't just their medical record, it is currently medication information and all of this stuff, and we probably need to at least be talking to some people about that - and you'll see it in a future letter, but not this one, likely.

MR. REYNOLDS: Going back to the beginning of the letter and talking about the background, the first section is broken into electronic-signature background, and the first, under Relationship Between Prescribing and Patient Safety, just basically the fact that there are a lot of prescriptions and there are adverse drug effects and other opportunities that need to be dealt with, the role of the government - and we have already spent some time earlier talking about the DEA, the DOJ, HHS and state board pharmacies, the deal with that, the role of dispensers to validate prescriptions, we heard significant testimony on that, and so that section discusses that.

DR. TANG: Let me see if this observation may be correct or incorrect. It looks like Observation Recommendation 1 transfers some of the role - the validating role of the dispenser to the prescriber, because we have made it an addressable HIPAA issue, and it is incorrect. I'm seeing by the - So let me -

DR. HUFF: I mean, the way we were thinking about it is that they have the ultimate legal responsibility still, and their responsibility, if you will, is to say, Oh, you know, I understand now how people are being authenticated. I understand we are using secure private networks. I understand the relationships that exist between the pharmacies and that they must be registered, and so, basically, by understanding the system and knowing how the systems are implemented, they are saying, I agree that that is sufficient evidence that this is a valid prescription, and that is sort of all we were saying. I'm not sure how - where you are getting from there to them relinquishing their responsibility or -

MS. MC CALL: Let me see if I can rephrase it, that with the existence of HIPAA, and, now, with the coming of electronic prescribing, by definition, does that defuse backwards the responsibility? Because it is a transaction between two covered entities which now involves an electronic signature, does the existence of all these pieces put some of the responsibility and perhaps liability back to the prescriber, where, in a different process, it rested with the dispenser?

DR. TANG: Let me give the example. Currently, it is prescribed that you must have a written - sometimes, you know, a wet signature by the provider, and, then, it is up to the dispenser to validate whether that is a true signature.

By saying that we now are going to push the authentication to the addressable way in which a prescriber authenticates, I think it has actually moved - first, we have no longer been prescriptive - as we used to say, handwritten - and I think by using the term addressable, it has actually given the responsibility for the qualified authentication of this prescription to the prescriber, and that feels to me different -

MR. BLAIR: Actually, the authentication is the - at least my understanding of it, and anybody on the subcommittee that feels my interpretation is not correct - the dispenser is trying to authenticate whether the person who claimed to write the prescription is, in fact, that person. So it can't be something that is transferred to the prescriber, but I think you have picked up on a valid issue that the dispenser - now that the dispenser is receiving something by computer in electronic form and not receiving it being handed to them, necessarily, by the patient, that they might know the patient or they might recognize the signature, in some ways, there is less of an ability of the dispenser to authenticate that it is original, and so the system, now, is trying to assume stronger authentication responsibilities. The system - in this case, the system is essentially the e-prescribing network.

DR. TANG: Plus the prescriber's determination of the risk associated with their particular -

DR. TANG: - method, and, as you were saying, Jeff, the dispenser no longer has the tools that they used to have.

MS. MC CALL: Right. Although, two points. One is your example of it used to be a wet prescription or handwritten, they were more distinct events and discrete, and, now, it is much more of a flow, but within that context, if responsibility for authentication rests finally and completely with the dispenser, that may break that flow -

MR. BLAIR: Yes, we are inheriting - you know, I think it is the state laws that wind up placing that responsibility on the dispenser, and the e-prescribing networks, in their attempt to be able to provide greater authentication among the things that they have been doing. Matter of fact, in the background section there, when you - it winds up listing, you know, these things. It winds up indicating that it makes an attempt to certify the prescribers before they have access to the network, and it has certain data integrity, you know, that the prescription hasn't been altered once it is sent.

So I think that your observation is a valid one that things are shifting, but the state laws haven't changed yet.

MR. HOUSTON: Well, are you saying that - if I can - that because the responsibility now or the function of validation is more the function of a system or software in that system, that a provider might - if you take this to the most extreme case - might be responsible if he or she selected substandard software tools to mediate their orders? That is question A, and then B, would that not be addressed by having standards applied to that industry of what - minimum standards such software should have?

DR. TANG: I guess - my primary concern is at the literal authentication method at the prescriber level, because we used to use something that has the test of time and law, the handwritten signature -

MR. HOUSTON: Yes.

DR. TANG: - or something that each individual gets to decide - i.e., addressable - how they want to authenticate people in their office.

MR. HOUSTON: I see.

DR. TANG: And that is taking it completely out of standard of practice from - now, I am trying to be a lawyer. So you'll have to correct me on that one, but - (laughter).

DR. COHN: I think you should have Kevin help you on that one.

DR. TANG: So that is my concern is that we really have placed the onus of authentication, made it the responsibility of the prescriber, and I would think a dispenser could be a little bit nervous about that. I am not actually worried about the software, because that is a business practice that -

MR. BLAIR: Would it be worthwhile to read the section you just touched on, which is dispenser validation, and maybe that addresses some of Paul's -

DR. COHN: Yes. Yes. Well, I think Judy has a comment that maybe -

DR. WARREN: One of the things that we tried to do when we heard testimony was to stay as technology independent as we could, and when you brought up the fact that the prescriber, now, is being brought into the authentication, they have always been there. They have had to choose between a pencil and a pen. They have had to choose between a piece of paper or a piece of paper that has print on it that says prescription or a piece of paper that has been made so that it cannot be Xeroxed, because it would lose its validity. Now, all of those are things that occur in a paper-based world. So the prescriber is already having to choose a level of paper-based technology in order to ensure that it really is their signature on there.

And what we are saying, now, is that, now, as we move more into the electronic technology, there are other ways that we can still do that.

So I am not sure I agree with you that we are asking the prescriber to take on more responsibility for authentication. It has kind of always sort of been there, just not as obvious, you know, as what it becomes in an electronic environment.

DR. COHN: Okay. Steve, maybe you can help?

DR. STEINDEL: Add on to what Judy said. I mean, we heard several times during this period about the cases where a prescriber would sign 50 scripts in a pad and leave the pad lying around, which is, you know, very analogous to the password sitting in the office and also very analogous to what you are talking about about, you know, how much of the authentification actually exists in the wet-signature world, because anyone can walk off with that pad and now become that prescriber.

DR. TANG: I think the scenario you described is illegal. Okay. But - (laughter). I didn't mention that, but the scenario of an individual deciding that a one-character password is sufficient for that practice is not illegal, and yet it may be unsafe. That is my point. So I think there's plenty of - I mean, a signature is, I think, defined in legal - For example, a dot cannot be a signature, for example, or, I mean, there are precedents for what is a signature -

DR. WARREN(?): An X can, though.

SPEAKER: A dot can be a signature.

DR. TANG: What?

SPEAKER: An X.

DR. TANG: Yes, but for certain people, right? I mean, you actually - there is actually - I mean, there's just a lot of law -

DR. COHN: Okay.

DR. TANG: - behind what a signature is.

DR. COHN: Yes -

DR. TANG: Well, let me pose the other question.

DR. COHN: Yes. Yes, Paul -

DR. TANG: How would law change if a signature was defined as addressable?

SPEAKER: What do you mean?

DR. TANG: The way HIPAA defines it is you do your own risk assessment of what is meant by authentication, and then you can define it. If I gave you that - if that was the case for -

DR. HUFF: Over the years, my signature has changed, become much more simple -

DR. COHN: Microphone. Yes, Stan and then Carol.

DR. HUFF: This is Stan. (Laughter).

We had the same - I mean there was a strong push and a lot of discussion about how we could firm this up, and one of - In fact, we went so far as - there were early suggestions that we put byline, you know, you have to have a password and a login and it has to be - excuse me, and the password has to have - be a strong password in there, and then we said, but that could all change.

And, number two, there is no standard we can rely on that states those things - okay? - so we would - if we started putting that kind of very direct, specific advice in here, then we become a standards body, and what, in fact, we want to have happen is if those things are standards, we want those to go to HL7 or NCPDP or NIST or somebody who can be the owner and keeper of those standards, and that is why we ended where we are, and sort of, yes, it is addressable, and if, in fact, somebody did something that - you know - in their opinion and the way they addressed it, most of us would consider inappropriate, then the assumption is is that there is going to be a complaint, and then there are going to be adjustments made in that, because saying that it is addressable doesn't mean that anything you want to do is legal forever, just because that is how you address - I mean, basically, you can be found faulty of - in your risk assessment and say you didn't assess the risk right. You've got to do something better and different than what you are doing.

And those are the reasons why we didn't try and become very prescriptive in here about - we don't - it seems inappropriate for - we don't want to become HL7 or NCPDP. We really want that - because we are not set up to be able to modify and change, and we put those kind of things into this kind of document, then they become immutable in a way that we really don't want them to become.

DR. COHN: Yes. I see Paul is nodding his head, so that's probably at least a good start here.

Carol, and then I'd like to wind this -

MS. MC CALL: Okay. Paul has asked a great question.

DR. COHN: Yes.

MS. MC CALL: And I think that there is a general theme that, as a group, as a committee, we are going to come across again and again over the next four years, and this is the general theme that I see, which is that we are talking about standards, but it quickly evolves into the changing of process, which, ultimately, will have a very important aspect that is legal.

In this particular case, we have taken an historical process that Judy described earlier. It has been around for a long time, and a lot of legal precedent has been set around that. That process was broken apart in different pieces and responsibilities were very distinct. That process has changed, and the responsibilities become more - the process becomes much more tightly coupled, and so as these processes change, and sometimes fundamentally so, sometimes with new parties coming in - not this one, but maybe on others - that we need to look to the law to find out what the law says historically about where the responsibilities have been, so that we can see and explicitly look for whether or not that needs to be addressed along the way, and that is, I think, the theme in here, and I think that is the question that you asked, and I think we need to look at it as we go forward.

DR. COHN: Yes. Carol, well said.

DR. WARREN: One of the things - I mean, and I'm glad Carol brought up the law, because we did hear testimony about it. We looked at the e-signature law. So, I mean, there are definitions, and we did refer to that in part of our preliminary work about what those definitions are for a signature. So that part is already in law, and, you know, we are - so that may be helpful.

DR. COHN: Yes, you know, I am sitting here struggling with this one. I am trying to - I am well aware of the issue that you both are bringing up, and I think that really is - you know - changes in work flow, changes in responsibility, but the law hasn't changed. So - but, effectively, you know - but, on the other hand, people call in prescriptions all the time, and, you know, whenever I call prescriptions in these days, the pharmacist doesn't know who I am, and I have to tell you, I mean, you just never know. So you have to realize the reality, and, sometimes, you know, you don't move to a perfect process. You take two steps forward. You know, you don't want the - you know - perfection to be the enemy of the good in this one. So we have to reflect on that one.

Now, Paul, what I am going to suggest is is that I know the committees that you are interested in participating in, and given, I think, some of your concerns, which I don't think I have an answer for in the large group, I am going to suggest that you sit in with the Subcommittee on Standards and Security, as we sort of look through this letter, and see if there's - I mean, because I don't see an obvious way to address your question in here or even how to frame it. So maybe there are some ways you can help us.

DR. TANG: I think it is as Carol said, which is we just need to be cognizant.

DR. COHN: Okay. I mean, anything to avoid having to sit through a subcommittee.

MR. HOUSTON: Still not getting out of Standards and Security. (Laughter).

MR. REYNOLDS: I did want to play off that. We clearly heard testimony that in all states the dispenser is responsible. So, I mean, we really hammered on that to make sure we heard that clearly. So, in no way, does this relinquish them from having that responsibility.

The other thing that we discussed at length with e-prescribing there is also the possibility of being able to send a message back to the prescriber that this actually occurred, which will be much more of - They may call periodically now to check on someone, but if they go as far as sending a message back each time, if e-prescribing moves to that, then you are actually confirming that a prescription was written from that particular environment, which is a much better check than even - anything that is going on right now.

So we really tried to address that, but there is still that emptiness of no standard, nobody handed us a standard we could use and put in there, and so we are working through processes where, as you say, in HIPAA, two covered entities are involved, two covered entities are responsible. The ultimate responsibility holds here, that any time I pass an electronic record, I gotta know whether or not it is coming from my place, whether it is valid, and, then, whoever receives it, whether or not it's okay.

DR. COHN: Okay. Now, I am going to suggest that - we are running 15 minutes after a late lunch anyway, and Marjorie, I think, has commented that if we wait too much longer, we are not going to have lunch, because they won't have any upstairs.

Now, I am going to suggest we take about a 45-minute lunch break, so we'll start 15 minutes later.

What I want to do is to spend probably the first five minutes or so going through the remainder of the background here, and then we will move into the NPRM comments, and that should, hopefully, help us sort of make up for time and all of that.

So we'll take a lunch break, come back at 1:30.

(12:45 p.m.)

* * *

(1:41 p.m.)

DR. COHN: Harry, I think that you still have the floor.

What we'll be doing is going through the remainder of the background information on the letter on e-prescribing, and then moving into the NPRM letter, then we'll move from there to some comments about the population report, and then, finally, I think a brief comment about the work of the - on the biannual report, and then the report from David Brailer on his work, and then we'll break for subcommittee meetings.

Harry. Harry, closer to the microphone.

MR. REYNOLDS: - and then you get into the e-prescribing networks, and with some of the discussions that went on earlier, you may want to take a good look at that e-prescribing networks, because this paragraph, and then the paragraph under Security and Authentication of the E-Prescribing Networks, gives you a little more in depth about what we actually heard in testimony and what is going on and may help you with some of the questions that came up today.

And we talk about and generally describe the e-prescribing process, and if you notice, on line 46, at the bottom of page 3, we talk about e-signs or we did mention the things that are going on.

Use of digital signature in e-prescribing. We moved into that, into the idea of what happens if we go to the open internet. So you might have Step 1, and then you look at the open internet.

Industry experience with PKI. We pretty much summarized under that one the information that we had heard, and part of that was a lot of the PKI that is real successful is point to point, when you get multiple - so many hand-offs, as you would have in e-prescribing, is where it starts to become a little more burdensome.

So that was kind of the - Simon, a quick summary of the background.

DR. COHN: Any comments or questions about the remainder of the background information?

Okay. So we'll be bringing back a letter from the subcommittee tomorrow, noting whatever changes for your review and as an action item tomorrow. Great.

Agenda Item: Letter Commenting on CMS e-Prescribing Proposed Rule Action March 4

DR. COHN: Now, I think the next item for consideration is the letter on the e-prescribing proposed rule. Harry, it's yours again.

MR. REYNOLDS: Yes. Jeff, you want to make any comments before we start on that?

MR. BLAIR: The only comment that I want to make is for those of you who are looking at this for the first time, this is a unique format for the format of this letter, like, for example, when you see the background, that isn't the background that we created. That is the background section of the proposed rule for e-prescribing standards, the NPRM. So we are commenting within the format of the NPRM, and that is why you'll see the numbers skip. Okay? So, other than that, I think, Harry, go for it.

MR. REYNOLDS: We'll actually read this letter, since it is not nearly as long as the other one.

"The National Committee on Vital and Health Statistics, NCVHS, was called upon by the Medicare Prescription Drug, Improvement and Modernization Act of 2003, MMA, to develop recommendations for uniform standards to enable electronic prescribing - e-prescribing - in ambulatory care. The initial recommendations were delivered September 2, 2004. The committee is very pleased to find that these recommendations were helpful in drafting the Medicare Program E-Prescribing and the Prescription Drug Program Proposed Rule. This letter includes the NCVHS comments in response to the Proposed Rule in the response format requested."

Under "Background," we had a comment on A, which was Statutory Basis.

"NCVHS recognizes that the HHS Proposed Rule must be consistent with the wording in MMA, including the wording, ‘e-prescribing standards apply only to information regarding Part D eligible individuals enrolled in Part D plans.' However, NCVHS also believes that HHS should ensure that e-prescribing standards are not only appropriate for Medicare Part D users but also consistent with the standards for all types of prescribers, dispensers and public and private sector payers. This is necessary to avoid barriers to interoperability across healthcare domains. To achieve this, e-prescribing standards for Medicare Part D should also be compatible with those adopted as HIPAA and CHI standards, and with those recommended in November 2003 by NCVHS for clinical data terminologies, especially with those pertaining to RxNorm."

And I'll stop there, see if there are any questions on that particular statement.

Okay. Moving to F under Background.

"Evolution and Implementation of an Electronic Prescription Drug Program.

"There are lessons learned from HIPAA regarding both the value of standards and the need for flexibility to respond to industry requirements and technology changes. There are a number of approaches that could be considered to provide the industry greater flexibility and ability to advance, while maintaining standardization of messages and data. For example, CHI has set precedence for this by adopting a version of its clinical information standards as a baseline, from which new versions may be adopted by the industry when ready; even though this process is different from the process required for standards adopted under HIPAA. HHS should work with the industry in its rule-making process to determine how best to afford flexibility in keeping standards in pace with the industry, including standards for HIPAA and e-prescribing transactions. For example, HHS might consider recognizing new versions of standards, without a separate regulation - " and this is key " - if they are backward compatible."

"The NCVHS - " I'm sorry. I'll stop there. I forgot.

DR. COHN: Comments or questions?

DR. STEINWACHS: Harry, just maybe wonder what a forward compatible one is. (Laughter).

MR. REYNOLDS: When you all agree ahead of time. (Laughter).

DR. STEINWACHS: Well, how come you didn't manage that before this? (Laughter).

MR. REYNOLDS: We are doing the best we - (laughter). John, you had a question? No, this John had a question.

SPEAKER: Oh, J.P.

MR. HOUSTON: J.P. By the way, after you're gone, I'm John again. (Laughter).

SPEAKER: I'm sure he'll never be just John.

DR. COHN: John Paul, what did you have for lunch? (Laughter).

MR. HOUSTON: Animal crackers. (Laughter).

DR. COHN: Oh, okay.

MR. HOUSTON: They not natural anymore.

The only thing I would - the one sentence towards the bottom of this paragraph, in keeping - it talks about flexibility in keeping standards in pace with the industry. Don't you really mean to say in keeping standards in pace with the needs or the requirements of industry?

MR. REYNOLDS: Standards in pace with the needs of the industry, rather than just industry.

DR. COHN: Yes, I think that's a friendly wordsmithing change. Jeff, you are comfortable with that?

MR. BLAIR: Yes, sure.

DR. COHN: Okay.

MR. BLAIR: How come I didn't get the animal crackers?

MR. REYNOLDS: Okay. Under "Provisions," letter C. "Proposed Requirements for Part D Plans.

"The NCVHS recommendations relative to e-prescribing standards adoption within ‘closed' environments is different from the HIPAA transaction requirements where the Rule applies to both ‘closed' and ‘open' environments. NCVHS observes that HL7 is commonly used to communicate medication orders within a hospital, and with clinical pharmacies within an enterprise. However, coordination of the HL7 data elements for order entry messages with the NCPDP SCRIPT Standard data elements for e-prescribing messages (which are used to communicate prescriptions to community and retail pharmacies) would result in functions being more seamless across healthcare environments. This would remove a major barrier to adoption of electronic medication ordering and prescribing. HL7 and NCPDP have already begun this coordination by mapping the data elements in their respective standards that support common functions. NCVHS believes that HHS should recognize the exchange of prescription transactions within the same enterprise as outside the scope of MMA e-prescribing standard specifications. However, HHS should require that prescription orders sent using HL7 messages within an enterprise be translated to NCPDP SCRIPT message format if the message is being transmitted to a dispenser outside of the enterprise. HHS also should require that any retail pharmacy within an enterprise be able to receive prescription transmittals via NCPDP SCRIPT from outside the enterprise."

Focus there is adoption.

DR. COHN: Yes. I actually have a minor wordsmithing change. I am just wondering whether the word however really should be however or should just be struck.

MR. REYNOLDS: Um-hum.

DR. COHN: Any other comments?

MR. REYNOLDS: Okay. Under "Proposed Standards, 1. Prescription."

"NCVHS observes an apparent inconsistency in the description of the proposed standards to be adopted regarding the Prescription Fill Status Notification Transaction. On page 50 of the text version of the Proposed Rule, the Prescription Fill Status Notification Transaction, and its three business cases, are correctly excluded from the foundation standards. However, on page 53 of the text version of the Proposed Rule it incorrectly states that there is industry experience with the Fill Status Notification Transaction. The sentence on page 53 that needs to be corrected is: ‘More specifically, the NCPDP SCRIPT Standard transactions we propose for adoption have been used extensively for messaging between prescribers and retail pharmacies for new prescriptions, prescription refill requests, prescription fill status notifications and cancellation notifications, as part of the Consolidated Health Informatics, CHI, Initiative."

Number 2 under "Proposed Standards," "NCVHS supports the adoption of the ASC X12N 270/271 transactions for conducting eligibility and benefits inquiries between prescribers and Part D sponsors and the NCPDP Telecommunication Standard for conducting eligibility transactions between dispensers and Part D sponsors. NCVHS would like to emphasize the importance of the note within the proposed rule that ‘the level of detail returned on the 271 by the Part D sponsor must match the level of detail in the inquiry made by the prescriber in the 270 request, to the extent that the Part D sponsor's system is capable of handling this request.' In addition, the proposed rule indicated that ‘if standards are updated and newer versions are developed, HHS would evaluate the changes and consider the necessity of requiring the adoption of new updates to the standards.' NCVHS believes the process of potentially accepting as compliant different versions of the standards that are backward compatible is critical to keeping the e-prescribing process current. This should apply to all applicable standards, including, for instance, the X12 278 Prior Authorization standard and others.

"NCVHS is pleased to provide these comments in support of advancing the principles and purposes of e-prescribing."

DR. COHN: Comments or questions? I know it's after lunch.

Well, I guess the question I would ask for the full committee is, given that what we have identified are, I think, two wordsmithing changes, which I think have been accepted, is this something we want to move for adoption today or ponder over this evening and come back?

John Paul.

MR. HOUSTON: I move for adoption.

SPEAKER: Second.

MR. HOUSTON: When is the period for responding to this one?

DR. COHN: The period for response ends, I think, April - April - something like that in April. The problem is, of course, is that this is our committee meeting. Otherwise, we would have taken longer putting this together.

Okay. Is there discussion on this?

Well, all in favor say aye.

(A chorus of ayes).

DR. COHN: Opposed? Abstentions?

Well, it's passed.

MR. REYNOLDS: The committee thanks you.

SPEAKER: If you mail this quickly, it will be the first comment in.

DR. STEINDEL: I was going to suggest, Simon, you just sign it tomorrow and hand it to Karen.

DR. COHN: I think she would probably prefer getting it electronically.

Now, before we move - so I think this is actually the business for the Subcommittee on Standards and Security, at least until our letter - the other letter coming back tomorrow.

I think that the full committee just needs to be aware that there will be sort of continuing letters, though not of the length that we have been dealing with, likely dealing with e-prescribing, probably through the end of the year, because we may be commenting on pilots further. Certainly, Carol brought up an issue. As we begin to - for example, as we begin to find out more about how these standards are moving through NCPDP, we will likely be making comments on those.

Hopefully, they will look a lot more like the letter that came out of the Subcommittee on Privacy and Confidentiality. In other words, a one-to-two page letter with specific comments, as opposed to these longer letters, but I just want to make sure everybody is aware of all of that.

Now, before we move on to the report from the populations committee on the Population Report - the Committee on Populations - I actually - it has been suggested that I - I think, given Judy Berek's meritorious service on the committee and really our appreciation of her, what we would like is a motion and an acceptance for us to put together a letter to the CMS Administrator thanking her for her service.

SPEAKER: So move.

DR. COHN: Second?

SPEAKER: Yes.

DR. COHN: All in favor.

(A chorus of ayes).

DR. COHN: Opposed? Abstentions?

Okay. Judy, you don't get to vote. (Laughter).

Okay. With your leave, what we will do - I will work with the staff in terms of putting together such a letter and we will get one out.

MS. BEREK: Thank you.

DR. COHN: Well, thank you.

Agenda Item: Status of Populations Report

DR. COHN: Okay. With that, want to move to the Population Report, and Don and Vickie, I think you are taking the lead on this?

DR. STEINWACHS: It is a pleasure to be here as the new Populations Chair. I am still a little worried about trying to fill Vickie's shoes, and she has been coaching me and trying to help me along, so I want you to know I very much appreciate this.

We will be, on the Populations Committee, talking more about our agenda for the future and ways in which the Quality Workgroup and the Populations group can have a more coordinated agenda, but the major item on the Populations Committee is to try and bring to culmination the work that Vickie has led in a Populations Report - and we are hoping to be able to bring the final report to you in June, and so what I have asked Vickie to do is go through and give you an overview of the kinds of recommendations, so there can be some feedback, if the committee feels that there are concerns or issues, and then we can take that to our committee meeting this afternoon.

Vickie.

DR. MAYS: Thank you.

We are a group that started out with 69 recommendations. Talk about a learning curve. It's like I have now learned, but, I don't know. I feel like after the last report, in terms of how long that one was, maybe we're still okay on that. (Laughter).

So, anyway, what we did, in order to make this more manageable - and let me just make an acknowledgment first, and that is Populations has, in the past, often conducted business in conjunction with NCHS, and, in this instance, when we were working on this report, NCHS was very helpful in the form of Jennifer Mattins(?), in terms of giving us feedback. So I just want to acknowledge her work and thank her for all she did to help us to get to the stage that we're at. So duly note her work to this.

What we did was, in terms of looking at all those recommendations that we had, we were trying to think of the best way to organize them, and also to try and map things, I think, a little bit better with the other subcommittees.

So what we did structurally is that we actually have kind of three overarching recommendations, and the first is within the context of standards, you know, and I almost shudder to say that, because it is not standards in the sense of the technical ways that you talk about it, but, to some extent, it is.

So, in terms of our three overarching recommendations, the first kind of addresses itself to standards. The second really addresses kind of the methodological research that we think would be helpful and necessary in order to help the collection of data on race and ethnicity, and then the third is actually to talk about the infrastructure in terms of health statistics and the kinds of things that the Department would be able to do to increase the collection of data on race and ethnicity as well as improve its dissemination of the findings. So we organized it that way.

What I would like to do, if I think we have enough time, is at least to go through the first, which is the standards, because this is where, in particular, we would like to get some - we want feedback on the whole thing, but, in particular, this maps onto the committee's agenda, so, if possible, I think we have enough time to be able to go through the first set, and then we'll ask you, please send Don emails about any additional things that you see.

We may come forth with - after we meet with the subcommittee, a couple of additional recommendations that will go in here, but, for now, this is probably the body that we will bring back in June.

Under the first set of recommendations, the overarching recommendation is HHS should improve the coordination of efforts to collect data on race and ethnicity by developing standards for assessing race and ethnicity. These efforts should take place within HHS as well as through partnerships with federal, state and other entities that collect data on race and ethnicity.

The first one that we talk about is the NCVHS acknowledges the leadership role the Department is playing to develop standards on collecting racial, ethnic and primary-language data under HIPAA and strongly urges the Department to summarize its business case for racial, ethnic and primary-language data for healthcare performance measurement and to accelerate its efforts to modify HIPAA standards to simplify the reporting of data on race and ethnicity.

In addition, the Department is urged to work with healthcare-sector professional associations to encourage adoptions of an industry-wide data-collection standard for assessing race and ethnicity.

So, again, I think that probably is something that we may want to hear from some of our colleagues on.

DR. COHN: Okay. Vickie, can we ask questions as you go along?

DR. MAYS: Oh, sure.

DR. COHN: Okay. Well, Marjorie, I'll let you start.

MS. GREENBERG: I appreciate it. I got these yesterday, so I had a chance to look at them.

DR. MAYS: That's fine.

MS. GREENBERG: I just needed some clarification on what was intended by standards for assessing race and ethnicity. Are you talking about standards for collecting race and ethnicity or standards for assessing disparities or - I just -

DR. MAYS: Standards for collecting.

MS. GREENBERG: - didn't understand what you meant by that.

DR. MAYS: Standards for collecting.

MS. GREENBERG: Collecting.

DR. MAYS: Yes.

MS. GREENBERG: Well, then, I think that is the word that should be used.

DR. MAYS: Okay. Thank you.

Simon, did you have your hand up?

DR. COHN: No, I think Marjorie - I did not need to follow up. Thank you.

DR. MAYS: Two, states should explicitly - should be explicitly encouraged to collect race and ethnicity data on the Medicaid or state equivalent enrollment form and to share that information with managed-care organizations, MCOs, to enable them to produce state-required reports along these dimensions.

The committee also recommends that CMS require state Medicaid agencies to ensure that enrollment data are, at a minimum, linkable to encounter data and encourages each state to perform this linkage in a manner that is consistent with standards regarding the electronic transfer of data and with confidentiality and private practices and procedures.

Okay. Three. HHS should contribute to the creation of an interconnected Indian health network for the 300-widely disbursed healthcare sites to standardize systems and protocols for collecting race and ethnicity data at all locations and to more effectively collaborate and pull data, expertise and resources.

Information systems comparable to those developed in other federal healthcare systems, such as the Department of Defense and Department of Veterans Affairs, should be adapted for the Indian Health Service.

HHS should support national data networks that are both urban- and reservation-based for American Indians and Alaska natives that use compatible data collection methodology.

Four.

DR. COHN: Vickie, I'm sorry. I just had a question here. This has to do with the Indian health system. Explain to me a little more about this. I mean, obviously, I don't have the four chapters before it that, I am sure, explain what this is, but the Indian Health Service -

DR. MAYS: Indian Health Service.

DR. COHN: - uses, effectively, the VA system for at least -

DR. MAYS: It doesn't. That is what we are actually suggesting.

DR. COHN: Oh, okay.

DR. MAYS: We heard testimony that, quite frequently, within the Indian Health Service that the infrastructure, in terms of - I mean, they even fussed at us a little bit about sending things by email, because of the lack of computers, et cetera, but what has happened is that different clinics within the Indian Health Service will have different packages that it uses to capture information, and there is a difficulty of communicating across the various systems. So it takes a lot of effort, for example, to get some of the data that we do have on American Indians, and part of that is that there isn't necessarily a coordination of the kind of software that is used, where, for example, some data is drawn from, whether it is at a visit, whether it is, you know, in other places, during the encounter.

So part of what we are recommending is that if HHS would try and help them to develop a coordinated system where data could be systematized, where there are similar methods for collecting the data, as well as the ability to kind of - you know, we talk about kind of interoperability, that there is the ability to share the data across all those systems.

DR. COHN: Richard.

DR. HARDING: I apologize for going back to something but I just have a question about number two, the first sentence, the words, states should be - quote - "explicitly encouraged." I'm sure that you all thought that through as to what that word should be, but, you know, coming from a place where we get lots of encouragement, but not any -

DR. MAYS: Not money. (Laughter).

DR. HARDING: You know. You know. Is there another word or something like incentivized or something that would imply that there's something in it for them, other than to be encouraged to do it, because we get encouraged to do just so many things in states without any resources and so forth. I just wonder if there is another word.

DR. MAYS: Let us - Yes, I was going to say let us discuss that.

DR. HARDING: Thank you.

DR. MAYS: Unfunded mandate.

DR. SCANLON: Could I just add something about whether - with respect to the Indian Health Service - that you heard that this would be a feasible goal in terms of trying to be uniform across these 300 sites.

Comparing them to the VA - and I know that the VA has put an incredible effort in trying to create sort of national uniformity and - though, many times, when at Yale(?) we have looked in the VA we found that there wasn't national uniformity, and - you know, even within a VISN you could find differences among the different medical centers, and so this seems like it is an admirable goal, but needs to be part of a much bigger objective, which is to try and create some national policies, and I am wondering if they in place to facilitate this or not.

DR. MAYS: I think what we can consider is whether or not - I mean, I think this is a very important goal here, and maybe we might be able to state it a little differently as to put the things in place to make this happen, but I think the problem that we faced when we had our hearing is the extent to which the ability to be able to look at their own health issues is severely compromised for this reason.

The most data - the reason you see so many papers out about rates of cancer is because of the SEER Program, and they were using that as an example of a program that has been able to collect data on race and ethnicity and then to be able to look at it across various geographic regions, and that was, you know, what they were asking for is something that could be done in terms of the Indian Health Service.

So we can revisit - I think - You know, I understand what you are saying, and I think the revisiting is maybe to make it a step on the process of ensuring that this can get done.

DR. HUFF: Recommendation 3 seems like it is out of context in that it has to do with race and ethnicity data, but it has to do with a much more global issue, basically saying that the Indian Health Service's information systems are inadequate and incompatible, and I wonder if that should be its own recommendation in its own section somehow, so that it - I think it could get lost sort of in here with the other recommendations about race and ethnicity, and I think it is a bigger issue that maybe deserves more treatment, you know, in a recommendation of its own.

DR. MAYS: Okay.

DR. COHN: Okay. Mike, and then Kevin.

DR. FITZMAURICE: In the federal government, we are kind of bound by how OMB tells us to collect race and ethnicity data. They have a framework, and as I looked through the report, I don't see any comments about that framework, or just looking at the recommendations in Chapter 5. Does the report find sufficient this framework for collecting the data, and your point is that not enough is being collected to improve quality of care, patient safety and other uses, that it is not enough is being collected as opposed to the framework needs to be improved?

DR. MAYS: There is a section earlier in the report that talks about the OMB guidance, and, to some extent, at the national level, part of what occurs in the collection of the data is that there are a set of guidance. Federal agencies, you know, adhere to that guidance. So that is not the problem.

It is somewhat tricky in terms of some of the collection of the data, and that is a little bit of why we are saying, for example, it would be great to have methodological research. It is great to understand that, for example, people may change their identity, you know. There's a fluidness there. There is an issue of how do you ask these questions. There is the issue of training people so that, as you ask the questions you have a sense of the answer, like when we had the presentation by Suzanne Heurtin-Roberts. Let's just say, for example, someone comes in and they say, I am Creole. If you don't know the translation of where that goes or you don't understand kind of what the category is, then you may end up misclassifying the person. So there are, I think, some areas that still need training. There are some areas that we do need to talk about, and then we also have to understand in the collection of this data of race and ethnicity a little bit about how to use it.

DR. FITZMAURICE: Thank you.

DR. MAYS: And that is kind of the foreground of the report.

DR. COHN: Kevin, you had a comment, question?

DR. VIGILANTE: Actually, I think it may have been covered already. I'm not sure, but it goes back to your comment about VA VISA. Yes, on the one hand, you know, the VA VistA has been modified significantly in the Indian Health Service. There is a lot of variability. They have had to add pediatric modules and billing systems and changed it in other ways, but it still, for the most part, is, as I understand it, the foundation system for Indian Health Service.

So I think when we say systems comparable to those developed in other federal healthcare systems, such as Department of Defense and the Department of Veterans - I would say it is comparable. Although, in terms of its foundational structure, there is a lot of variability in it

that prevent it from being used in the ways you have already cited.

DR. MAYS: Thank you.

DR. COHN: Yes, Kevin, thank you.

Mark, did you -

DR. MAYS: That is a good point.

DR. COHN: And, actually, I guess before we move on - I'm sure Mark has another issue - I just came away feeling like we need a little bit of fact checking to figure out how exactly to express this one.

DR. MAYS: Yes.

DR. COHN: And, obviously, the Subcommittee on Populations can just sort of check that.

MR. ROTHSTEIN: In the first line in number 5, the federal agencies, from the parenthetical, I assume you are referring to HHS agencies and if that is the case, then we might want to do more than encourage, and we could say, HHS should direct appropriate agencies, and then the parenthetical to, blah, blah, blah.

MR. SCANLON: I guess I would go one step further. These agencies are HHS.

MR. ROTHSTEIN: Yes.

MR. SCANLON: So why don't we just say HHS agencies should hold -

MR. ROTHSTEIN: Well, either one, yes.

DR. MAYS: Okay.

DR. COHN: Marjorie, I think I am going to let you continue.

I just want to remind everyone this is not coming forward to a vote today. We don't have the first five chapters. This is just the rough recommendations. I think we all have a tendency to want to get this right the first time, and I'm sure -

DR. STEINWACHS: We'd welcome a vote now and just move on - (laughter).

DR. COHN: That's right.

I just want to keep that in mind in terms of your comments. Well said, Don.

DR. MAYS: Okay. I think I left off at 4. American Indian and Alaskan Native tribe entities and minority community-based organizations, CBOs, should be consulted regarding any HHS or agency plans that involve standardizing the collection and use of race and ethnicity data.

HHS should consider adopting the consultation model used by the Bureau of the Census in explaining Census 2000. The Department should undertake similar consultations with Puerto Rico, the Virgin Islands and the Pacific insular areas.

MR. SCANLON: Vickie, again, I hope you make this - you probably make it clearer in the narrative, but it almost sounds as if there was no standard now for collecting race and ethnicity data, and, of course, there is.

DR. MAYS: Yes.

MR. SCANLON: Do you mean further standards or further detail or -

DR. MAYS: It's more further detail.

MR. SCANLON: Additional?

Maybe we should say that involve additional standardization or further standardizing. Because we - I am sort of assuming that we are starting with the race-ethnicity standard we have -

DR. MAYS: Yes.

MR. SCANLON: - defined by OMB. We have no other choice.

DR. MAYS: I think that that is probably - we had a lead-in paragraph and we took it out. So I think - I now have a clear sense of what the lead-in paragraph should be. We had taken out what was there. So, now, I know exactly -

MR. SCANLON: Within any of the major categories

if HHS wanted to standardize the sub-population groups -

DR. MAYS: Exactly.

MR. SCANLON: – that is where the standards would -

DR. MAYS: Okay. So okay.

Five. HHS should direct - wait - should – HHS agencies should hold national, state and ethnic racial-group conferences that focus on collecting, analyzing and disseminating data on racial and ethnic group health status, health behaviors and health disparities.

These conferences can play a role in enhancing coordination and improve the development of standards around collecting race and ethnicity data.

So I want to stop there, in terms of - because we actually don't have the time to read them all, but those are the ones that I - You look quizzical. I didn't think we did. Oh, okay. I was like, we do? I didn't think so. I was trying to keep to my 15 minutes, and to suggest the second overarching recommendation really is on kind of the methodological research, and so we welcome - you know - any thoughts or inputs into that, as well as the last, which is the infrastructure, and the infrastructure always becomes one where, you know, it is kind of a bit of a cost. So, you know, we want people to look, because it is asking people to do things - and many of these are things we have talked about before, like having additional data centers, et cetera, but these do involve some costs. So we would welcome your looking at them and thinking about them and giving us some feedback, because this is the gist of the recommendations that we'll be bringing forth.

The subcommittee, in its meeting this afternoon, will be looking at these as well as a few others that kind of - and some of the cuts were left out that might get put back in.

DR. COHN: And cuts that got left out that might be put back in, are they recommendations or are they background material?

DR. MAYS: No, no, no. The background material, we will do once we settle upon all the recommendations. There are a couple of recommendations the broader committee hasn't had a chance to discuss. So we just want to make sure that this subcommittee itself is fine with what is here and what was cut. So that is to give them the opportunity to opine on some of the things that were cut.

DR. COHN: Okay. Comments from the full committee?

I looked at this late last night, and I actually thought that these - and it is good not to see 69 recommendations or 83 or whatever, so I want to thank you for that. (Laughter).

DR. MAYS: We thank ourselves for that.

DR. COHN: Thank yourselves for that.

DR. MAYS: We are not killing ourselves over that.

DR. COHN: Yes, I would also just congratulate you on - some of these that we have looked at, they actually look like that they are actionable. You can sort of tell, which is, of course, I think the mark of a good recommendation.

Actually, just generally comment that I think what we are seeking sort of as we move forward is making sure that when we come forward with something that it is specific enough that an agency would know what to do with it when they got it as a recommendation. To me, that is a mark of a good, well-thought-out recommendation, that they don't have to go out and study something for a year to figure out what to do with that recommendation. So I think we are making great strides.

Now, the only question I would have, and this is something I don't know because I am not part of your subcommittee, though -

DR. STEINWACHS: You could join us. (Laughter).

DR. COHN: I know. I know. And I could sit in for some of it today, which I probably will.

Is just to reflect, as you go through this, to make sure that this is - that these recommendations are sufficient to get us where we think we need to go, and that would really be the only question I would have, and they may very well be, but I would just have you all reflect on that that there isn't something obvious or something big that needs to be stated here somewhere.

But, generally, I think it all looks pretty good.

DR. MAYS: Yes, I think there are a couple that we do need to discuss about potentially putting back in that, you know, I think - that I think, you know, there's one that I do think is big, and that is the notion of the - we had talked before about the surveys, about doing - having small-group surveys that periodically are done to ensure that the populations that we aren't able in national surveys to get data on that we figure out some kind of collection procedure to be able to do that. So that is one of the ones we have to discuss.

DR. COHN: Okay. Any other comments on this one?

Okay. Now, what we are going to do with the remainder of time - and, Vickie, I apologize if I was looking at you cross-eyed, I was, I think, it's my after-lunch - you know - sort of fading out here, but, actually, we actually could have given you a couple of more minutes if you had needed -

DR. MAYS: Okay. I was trying to do my 15 -

DR. COHN: No, you did very well, and I think we'll be seeing this back next meeting also.

What we are going to do with the remaining time is, obviously, one, we are going to just talk briefly about the biannual report and what the status is of that, and then I want to - Actually, let me just talk for a minute or two, and then we'll get into the biannual report, because I think it is probably the way to do it, and then we can - then, by that time, I think, David Brailer will be joining us for a conversation for a couple of minutes, and, then, of course, we'll break up into workgroups.

Obviously, this morning - and, once again, I am not going to - you probably will hear from me again and again today about various issues, but this morning, I tried to keep my comments very brief in terms of things that I heard from the full committee, in terms of all the conversations I had, knowing that, first of all, it was a little after 6:00 a.m. California time, but, even beyond that, that we had a very packed agenda this morning.

There were a couple of things that I neglected to say, which I just sort of want to comment about. I mean, really, one of them is just sort of the reflection in which something - I just want to apologize for admitting is this is a recommendation of our staff and our staff support. I think that I heard from all of you, and, certainly, I recognize, you know, without Jim or Marjorie, Marietta, Debbie Jackson, Maria, the list goes on and on - I mean, once again, I can't remember everybody - Kathryn -

SPEAKER: Where is everybody?

DR. COHN: Mess it up here.

You know, we are not going to be successful in our work. We really rely on them. I see one of the main roles, my role going forward, as well as the role of the chairs of the subcommittees is sort of the care and feeding of the staff. I mean, I commented that we have full-time jobs. To my knowledge, I think they all have full-time jobs on the side, too, and this is something they do above and beyond their work, because of their dedication and belief that we really do make a difference.

Certainly, one of the things that I am pondering about - I mean, recognizing we have been - I mean, we have all been - in all of our subcommittees and workgroups about how to do things most effectively, but one of the things that I am sort of struck with is is that every time we produce a major report or a major letter, and the new members now are seeing, well, you have two-page letters, we have 18-page letters and we have 39-page reports - 49-page reports, and probably even longer if we allowed ourselves with, but is to make sure that every time we have to do one of these things it is not a Herculean effort that causes everybody to just sort of get ground down in the process.

I think, from my view, we need to be very thoughtful about using consultants sometimes to help, and, indeed, one of the things we are going to need to really think about is how to most effectively use them going forward to sort of help keep our staff healthy, happy and being able to be supportive of us.

It, obviously, is going to take work on our part to make sure that we size the tasks well. Certainly, staff can work a lot better on a short report or a couple-of-page letter. An 18-page letter - you know the Subcommittee on Standards and Security had actually pulled in a consultant full time to help us with that, and, certainly, when we get to a longer one, clearly, you need dedicated consulting resources to help us, but it's one of those things of pulling in the consultants early to help the staff, knowing that, once again, like us, you know, they've got 40-hour–plus jobs and weekend work and everything else, because of their commitment, and the fact they're good. We want them to - we want to have the best and the brightest.

So take a moment and acknowledge our staff, knowing I haven't gotten everybody's names' here, but I think we should all applaud them. (applause).

MS. GREENBERG: I would just say it has been, over the years - since 1949, probably, but I can't quite remember back that far - but a very good partnership, and I think you've put it that way once, John, and I thank you for your kind remarks, but, you know, we also look for continuous quality improvement; but it is a good partnership, and I think that is the nice thing about the committee.

DR. COHN: Right.

MR. SCANLON: I have been accused of having about half of HHS staff working for the committee and it is the same 18 or so. (Laughter).

DR. STEINWACHS: Only half, Jim? Only half?

MR. SCANLON: Only half. (Laughter).

MS. GREENBERG: The good ones.

DR. COHN: Yes.

SPEAKER: Just the good ones.

DR. COHN: Yes.

Well, I just - once again, one of the things that the Executive Subcommittee, I think, is going to do over the next period is really looking at how to make the workload - how to make it work better for everybody, because I know how hard Vickie is working on this population report. I know how hard Harry and Jeff and Maria and Simon worked on both the first and second list of e-prescribing recommendations, as well as the other subcommittee staff; and, as I said, I think we are being called upon to do more and more high-quality work and give better advice to the Secretary. So, obviously, we want it to be timely. We want it to be relevant. We want to be able to survive the process and thrive in all of this stuff. So - this will be something I said - once again, I heard from all of you. We will certainly be reflecting as we sort of move forward.

Now, the other thing - once again, and I hadn't really commented on this - was one of the things I heard from all of you - and, actually, it was my good idea going in, and so I asked all of you and you - said, you said, Well - that is okay - was - you know, sometimes, the Chair comes in with opinions and all of that - has been the issue of empowerment.

I mean, there are 18 of us. We want to make sure that everybody is as productive and contributes as much as possible to the full committee, and so we are, obviously, looking to - you know - the new members, we want to encourage to be as active as you feel comfortable being. The old members, we would say, Geez, if you are not as active as you think you should be, hey, let's get you more active and more involved.

DR. STEINWACHS: Do they have pills to help with that?

DR. COHN: What?

DR. STEINWACHS: Do they have pills to help with that?

DR. COHN: No.

SPEAKER: Stimulant -

DR. COHN: Stimulant. (Laughter).

But - and so we'll be having conversations with that. I mean, some of it may involve people moving from one committee - some committee to another or a workgroup if their interests are more aligned with one place or another, and this is really, once again, with the transition, the time to think about that.

The other piece, though, which I thought was important, and I - it is not something that I can, myself, make happen, but it is a conversation with the subcommittee chairs, is this idea of having virtually every - and this is not absolutely - but we want the workgroups and the subcommittees to consider having vice chairs as much as possible.

Now, I am not going to ask the Standards Subcommittee to have that, because they have cochairs, but in other environments, I think, where it makes sense, you should consider having a vice chair. I think it helps spread the workload, helps spread the leadership and responsibility. I guess out of my own experience, having Jeff as my Vice Chair for many years on Standards and Security, I thought worked very, very well, and so, once again, hopefully, what we are going to be doing is just getting a lot more - everybody sort of involved in one way or another, in terms of not just the work and coming to the meetings, but also in terms of leadership, the goal setting and all of this.

So, anyway, this is not something I can do alone. I am going to be looking to the Executive Subcommittee to sort of help figure out how to do this. I am not asking any of the chairs to appoint vice chairs during the session coming up today or probably not - and maybe not for the next three to six months, but will be, I think, moving sort of in a stepwise fashion towards that.

Marjorie, do you have a question? It looks like you have a comment.

MS. GREENBERG: I just realized that I didn't want to let people - when you were talking about pepping people up a little bit or Don was talking about that, I realized that I needed to tell you something about the dinner tonight, and I didn't want everyone to disperse before I did.

DR. LUMPKIN: Dinner? Tonight?

MS. GREENBERG: As you know, we are going to Maggiano's. I think most of you are coming, and that is great, and if you have not told anybody that you want to come and still want to come, please check with Debbie Jackson. I think we might be able to squeeze in a few more, if possible

DR. COHN: I think we need to give John more responsibilities anyway. (Laughter).

(Dinner plans discussed.)

Speaker: The meeting is five to six, NHII, right?

DR. COHN: Yes, it is going to be - I mean, we haven't gotten into sort of talking about the meetings, but obviously, the Subcommittee on Standards and Security will be meeting here from three to five, then that room will be taken over by the Workgroup on NHII. That will be an abbreviated meeting, only because those of you who know Washington know it is going to take a little longer than half and hour to make it up to Friendship Heights, at least in my experience. So this will be probably a 45-minute meeting, something along that line, 30-to-45 minutes.

The Subcommittee on Populations meets in 305, which is downstairs.

Now, I didn't mean to have us get into all this stuff, but I think it is important that everybody sort of know what the plan is. So, Marjorie, thank you.

MS. GREENBERG: And the dinner, we have a private room. So it's upstairs.

DR. COHN: Yes.

MS. GREENBERG: You can either take the elevator or walk.

And, then, tomorrow morning, both of the subcommittees or workgroups are meeting on the third floor.

DR. COHN: Oh.

MS. GREENBERG: 325-A, Privacy and Confidentiality, and 305-A, Workgroup on Quality.

DR. COHN: Yes, and I think Bob would remind you that he is starting at 8:30. Whereas, Mark is starting at 8.

SPEAKER: That is because Bob heads up a Quality Workgroup, and, you know, they take these quality-of-life -

SPEAKER: Rather than quantity -

DR. COHN: Exactly.

DR. COHN: I think after that letter revision, I think he is going to need to start at eight o'clock, actually. (Laughter).

Now, let me, however, get back to the agenda here, and let's talk about just a couple of things.

Agenda Item: 2003-2004 Annual Report – Update

DR. COHN: One is that we obviously just wanted to comment just relatively briefly about the 2003-2004 annual report, and I'll say a couple of things and I'll ask Marjorie to primarily chime in, but this is the NCVHS update.

We, I think, have been collecting research proposals coming out of the various reports, subcommittees, workgroups, in terms of their reports that we are intending to add to that.

What we are doing, primarily, is doing sort of a literature search looking at all the various things that we maybe have recommended, just so that, I think, HHS and others can sort of see a potential research agenda coming together.

Did you have other comments that you would like to make about this one?

MS. GREENBERG: About the annual report?

DR. COHN: Yes.

MS. GREENBERG: Yes.

This actually is a biannual report. I mean, the committee has - just for the new members - has always - well, a very long time - maybe from the beginning - has always done an annual report. Bill remembers that probably - on which we report on the work of the subcommittees, et cetera.

In the last several years, we have been tending to do more biannual reports, rather than annual reports, and then we also - partly because since 1996 and the HIPAA legislation, there's an annual report to Congress on HIPAA and all its provisions. So that has not substituted, but been another annual responsibility.

What we had talked about doing at the Executive Subcommittee meeting last summer, I think it was, was to try to pull together the recommendations that have been made by the subcommittees and workgroups for future research and put them all in one place in this report - maybe in a section or an appendix - because our sense was that these are more long-range types of recommendations, and they don't tend to get acted on really quickly, and they can kind of fall off the radar screen, as it were, because they may require - probably do require - additional resources, et cetera. So we wanted to kind of highlight those, and we have been working with the subcommittees to identify what those are.

We had also talked at that meeting - and, this, I guess, will be further discussed by the Executive Subcommittee - about thinking more about the research implications of a lot of the other recommendations that have been made over the last - since 2000, because there are many more of those than there are just strictly recommendations for research, and that would be for the future. That would not be incorporated into this 2003-2004 report.

We did approve an outline for the 2003-2004 report at the last meting, and I apologize, I don't think we put it in the agenda book, but we can send it to the new members. We have a writer who has been our writer for many years, Susan Kanaan, who is working on that with us. She will be interviewing the subcommittee chairs, and, of course, Dr. Cohn, because we'll be doing a forward, as well, to the report, and so - and she may be calling subcommittee lead staff as well. So, please, give her a little bit of time when she calls you. She has all the written documentation, but she might want to talk to you about some specific areas.

So our plan is to get this draft report out to you before - at least a few weeks before the June meeting. Well, actually, we'll send it through the Executive Subcommittee earlier than that, and it will be vetted through them, and then it will go to the full committee, and the goal is to have it approved at the June meeting, so that we can transmit it to the Department, and we'll publish it, et cetera.

Any questions about that?

I don't know how many of you remember Car White(?) or know Car White, very distinguished former Chair of the Committee. Both of you are a long line of distinguished Chairs, and Dr. White, who is retired from Johns Hopkins, of course, he is now at - he has a collection at the University of Virginia Library, and I was tickled to find out that his collection includes every annual report of the National Committee, So we do live at UVA. (Laughter).

SPEAKER: Hear. Hear.

DR. COHN: Mark, do you have a comment?

MR. ROTHSTEIN: No. (Laughter).

DR. COHN: Now, speaking of reports, I was actually - you know, one of the great joys of being a former Subcommittee Chair is is that you get to reflect on work that needs to be done by the current Subcommittee Chairs.

MS. GREENBERG: Did I suggest that to you?

DR. COHN: No, no - (laughter). I'm sure John felt that way when he moved from -

MS. GREENBERG: - the HIPAA report.

DR. COHN: Yes, did you write down the HIPAA report? Okay. All good minds think alike.

Well, we have, as part of our rechartering under HIPAA, back in 1996, the committee is responsible for producing an annual report to Congress and HHS on administrative simplification and the status and - you know - status of that activity.

In the first couple of years, it would only be Standards and Security Subcommittee that was writing for that report. Obviously, in more recent years, it has been really a combined effort between Standards and Security and Privacy and Confidentiality, and, of course, this year - I mean, we'll have to figure out when the year ends, but part of - yes, yes, but I think we may, you know, given that we are going to be putting security in this year, we might want to very much think about - and I am looking at John Paul - and, John, we will continue to use your middle name -

MR. HOUSTON: That's John Houston.

DR. COHN: John Houston. Okay. (Laughter).

Thinking that we may time this in such a way that we can, obviously, comment on the implementation of the security rule and all that as part of this, and, clearly, there's been a lot of, I think, other important pieces going on, but I would just sort of remind subcommittee chairs, that, on top of everything else, there is the opportunity to reflect a little bit about how the HIPAA implementation is going on.

MR. SCANLON: I think since e-prescribing was such a big part of this year that Harry and Jeff should take the first shot at the - doing the report. Nobody is laughing. (Laughter).

Simon.

DR. COHN: Yes. I'm sorry.

MR. SCANLON: I think what we can do is to get started - remember, the last annual report on HIPAA implementation actually turned out to cover a two-year period, because whenever we thought we were finished, it would be another milestone and we wanted to say, oh, let's see how that goes as well.

We are actually coming at this on stability, at the moment. So what we can do is have the staff pull together the factual developments and what we can on where we are with HIPAA, and, then, the committee - then, the committee can reflect on what issues it wants to raise in terms of how things are going and what to look forward to.

We did shorten the report considerably, which I think probably makes a lot of sense at this point. Rather than a full 50-page report, I think we sort of did a - what? - a sort of a letter, half-a-dozen pages or so, where we got the bulk of the information, and then a more detailed report for those that want to look at all the details.

So I think, with your permission, we'll go ahead and get the staff pulling together at least the factual basis, and then the various subcommittees can - how they want to interpret it or what they want it to look like.

MS. GREENBERG: And, Jim, what should we shoot for? Approval by June or by September?

MR. SCANLON: Let's see. The only other major milestone we have now will be the security rule kicking in in April. I don't know how much experience we would have by June with that. Should we aim for September and at least see how the early months of security go?

MS. GREENBERG: Well, there might be some NPRMs, too, I guess. I don't know. What would you recommend?

MR. SCANLON: Well, we do have one -

MS. GREENBERG: Maria?

MS. FRIEDMAN: This is Maria Friedman from CMS, and I would vote strongly for another letter report. I think, on timing, we should give the security rule a few months to kick in.

However, I'm not sure how long the time frame is when we need to get the report written, but I think some experience with security is a good thing, and the content for the other areas, at this point, is largely statistical - number of complaints submitted, ones that are open/closed and all things like that - and some of the other accomplishments the agencies have done in dealing with the issues.

DR. COHN: I think Jeff and Steve.

DR. STEINDEL: Maria, if the security rule is introduced in April, will we actually have time between April and September to have any real experience with implementation that we can get into the record?

MS. FRIEDMAN: Don't know. I think we ought to allow some time. If there is not sufficient experience or very much at that point, you can certainly address it the following year -

DR. STEINDEL: That is the way I would like to approach it. I think we should keep the September date, but -

MS. FRIEDMAN: I think we are bound to mention it, because it is a very important date and it is a very important set of activities.

MR. HOUSTON: We do have the luxury to put in what we want to say about security, go through the review, and if something big comes up in the middle of a review that really warrants discussion, we can put it in, I think, towards the end. I mean -

DR. COHN: Jeff has been patiently waiting to make a comment. Please.

MR. BLAIR: Donka shane.

A number of years ago, things were more straightforward when we were doing this report, because it was clear that things were directed from HIPAA to the NCVHS to do things.

Things evolved, and we had the PMRI report. Then, we had the PMRI message-format standards, and then we had - we moved into PMRI terminology standards, which became clinical data standards, which became consolidated health informatics - and I don't even know whether that is considered HIPAA anymore - and then to make it more interesting, we have the MMA with the e-prescribing, and while that probably isn't HIPAA, I wonder if it is useful to omit that from the report to Congress, because all these standards really have to be interoperable. So how will we handle that evolution?

DR. COHN: Sounds like Jim has an answer.

Actually, I have some thoughts, too, but, Jim -

MR. SCANLON: It's very true, Jeff, this area has evolved very significantly since 1996 when we thought HIPAA would be easy - it's true - and all we had to do was adopt the industry standards.

This is a formal - the HIPAA report is a formal report to Congress, and they generally don't go away unless the Congress specifically deletes it from reauthorizations.

On the other hand, I would hate to see that particular report as a vehicle in the place where all of these other issues get raised. It is just not a very suitable - it was meant to be a very specific kind of a requirement. So either - in the annual report someway, perhaps, we can integrate all of the information.

I do think we normally try to include in the report to Congress, though, on HIPAA at least a glimpse of the broader framework of which HIPAA is a part, that we don't go into - we don't - you know, we don't provide milestones or detailed reports there.

So my own recommendation would be that we keep to the original intent of Congress, which was a report on HIPAA implementation. It is much - now that privacy is in full implementation, security will be coming up. We have one or two more of the standards - claims attachments, for example - to make it into regulations. There's still plenty to include just on the HIPAA focus alone, but I do think we have to at least allude to the broader context and the work of the committee on these broader fronts.

MR. BLAIR: Thank you.

DR. COHN: Yes. Do others - I have a comment on this one, but I am curious if others -

MR. REYNOLDS: Yes, I think it would be good to point out in the HIPAA report that the privacy, security and some of the transactions - still continue to be foundation standards, as we are looking at the new things that are coming along. So they didn't just play on their initial implementation what they were focused on. Looks like they are going to be good, solid base standards going forward. That may be a way to tie it in without getting into the specifics of the other things that it did, whether it's an electronic medical record or the PHR or e-prescribing or anything else, but just to point out that they still continue to be held in good stead as base standards going forward.

DR. COHN: I think your comments are sort of aligned with how I tend to think of this one. When I talk about all this stuff, I talk about the HIPAA sort of as Phase 1, and then the clinical data standards as sort of Phase 2, all moving up towards the NHII, which is really how they all - I mean, that is how I think how we all anticipated that they would be fitting together.

But I agree with Jim. I mean, one could easily spend three-quarters of it talking about e-prescribing, CHI recommendations, maybe in Federal Health Architecture, but I think, in reality, what you want to do is you want to focus primarily on the Phase 1, recognizing, I still think, everything I have heard so far - and I'm looking at Carol, because I think she is sort of agreeing with me on this one.

I think - so far that there's room for optimization of the HIPAA implementation. I don't think we are quite - this is not, in my view, a steady state or a done deal or everything is wonderful and whatever. I think we have implemented. Now, as I described, the harder part is really working with everybody to make sure that this really drives the value that we had all envisioned back in the mid-90s, and I think there is the opportunity - I know it is something the Standards and Security Subcommittee is going to be looking at, and it may be that that can begin to provide some of the help in terms of helping the report making sort of a conceptual leap from just this percentage that has been implemented, but more that people are beginning to show business value. Just a thought.

Carol, did you have a comment?

MS. MC CALL: Yes, a comment, and I guess the next couple of days I'll exercise my rights as a new-be to ask a basic question, because I like the term - I think, that Jeff used the term evolution. There is a true evolution taking place, and so my basic question is around this report and - which originated around HIPAA, and, yet, as we evolve forward and as all things evolve forward, HIPAA - as you said, we have used the term foundation - becomes a foundation, but I think it is important to talk about the context and use whatever that vehicle is to introduce what the important topics are to know about, and what I don't know, the question is are there other vehicles besides this report to help frame what the news should be?

It kind of reminds me of the state that says, I know what you asked me about, and I will tell you about that, but then I know what you should have asked me about, and I want to tell you about that, too, and so I don't know enough about the various opportunities that we have in a formal way to give an update about the important news of the day and the important context to be considered. If this were the only vehicle, I might have a different answer than if there were others.

DR. COHN: Yes, and this is certainly not the only vehicle, but it is an important vehicle. So I think your thoughts are well taken, in terms of the framing of the whole discussion.

MS. GREENBERG: I might say this is the only report specifically required by Congress to them. Although, it also goes to the Department, but we always send the annual report to Congress as well. That is certainly a vehicle, and, then, there are others as well, but this is the only report in which we report directly - have been asked to report directly to Congress.

DR. COHN: Well, now, with that, I am going to - I mean, first of all, I want to thank everybody's input. I think we will aim toward September with, hopefully, a rough draft in June for us to look at and comment on.

Agenda Item: National Health Information Technology Update

DR. COHN: I think, with that, we are happy David Brailer has arrived, National Coordinator for Health Information Technology. We actually have a place for you in front, if you would like to join us.

David, welcome.

DR. BRAILER: Thank you.

Okay. Well, thank you all for having me back in our regular exploration of the role of health information technology.

Before I start, I would like to extend my personal thanks to John Lumpkin for his period of service as now your former chair. I knew John had been chair of NCVHS for a long time when I asked him to join me for a cup of coffee, and he said that would be fine, but we would have to publish the agenda of our meeting two weeks in advance. (Laughter).

I am very glad to have Simon take the lead. Some of you may not know that Simon and I go way back. He was a Public Health Service physician in a very small town in West Virginia where I grew up, and while we didn't meet then, we share very many common experiences with that small county. So it's good to have someone that understands what real America is like in the leadership role, not that John doesn't.

Well, you have, mercifully, only given me a few minutes to update you, which was a hint to be brief and to the point, and so I will do that. I am going to talk about four activities - our alignment with other groups, in addition to our growing work with NCVHS; the National Health Information Network RFI process that is underway; our strategic plan; and, then, Federal Health Architecture, which follows on the letter that I sent to you in January.

So, first, our alignment with other groups. As you know, the Commission for Systemic Interoperability is now underway, and they have had, I think, two meetings, and they are working in a very complimentary manner to what we are doing. I think they are exploring a variety of areas around consumer aspects and standardization that we found to be particularly challenging issues, given the broad array and diversity of opinions and the lack of clarity about what even the issues are, and so I just wanted you to know that we really welcome that group. We are working closely with them, and we certainly are quite supportive of their agenda and are looking forward to their report, which is due in just a few months, in October.

Secondly, we have had the privilege of working with a private-sector group which some of you may have heard of called the Certification Commission for Health Information Technology, and this group is a group of private-sector leaders that have come together to try to develop specifications for what is a minimally-featured electronic health record, including privacy features, security features, interoperability features, in terms of e-standards, and decision-support functions that would be deemed a bundle of features that would constitute what any reasonable buyer would want, and I think this is important work, and we have been watching this, so we have two ex-officio seats, one from my office and one from CMS. We expect to see more participation there, and they have a variety of workgroups underway that have a number of federal employees and federal leaders on, really trying to wrestle with this question of where is the line drawn. It is going to be very necessary for future incentives or anything else that might happen around electronic health record.

So, secondly, we have, as you know, now received all of the responses to the RFI that we put out for the Nationwide Health Information Network, and just to give you a word on that idea, we are trying to define what is it that is needed to be able to allow functional or active interoperability between electronic health records. If they are standards compliant, there has to be infrastructure that ties them together, so that information can flow in a secure and seamless manner and can be controlled by the patient and others, in terms of who sees it and who does not. This is not random chance or happenstance that allows this to occur. It's an investment in infrastructure, and this RFI was intended to ask the questions about where does the money come from? How is it operated? Who operates it? What are the technology issues? Where are the gaps? What is it that needs to be developed? What do we have in place? What are the implications for the consumer, for the provider or other stakeholders? How does this fit within our scheme of what we are doing with standards and other things? Numerous questions. You can download them from our website or I'm sure some of you may have seen them, but we received a number of responses.

We received 540 responses from organizations and groups of organizations, and we received another 500-plus from individual people, including privacy advocates or, for example, one that I was just looking at this morning, which was the story of - from the parents of a child, an 11-year-old, active, healthy child, who was playing soccer, cut his ankle, had an infection in the ankle that had to have an IND - that is an incision and drainage, for those of you that didn't spend part of your life in medical school or don't have an 11-year-old - (laughter) - and that child had a bleeding diathesis that was reported in its personal health record and electronic medical record, and the surgery center did not have this information available, and the child bled to death, and this parent wanted everyone to know about what interoperability meant in a very real way in people's lives, and so we went from very large industry companies to very real experiences about having information and what it means, and we are now pouring through those responses.

We have assembled a federal task group that has about 150 federal employees on it spending a significant chunk of their time - I think a number of people here are doing this in your spare time. I know things are very busy, but this is a real treasure trove of information that helps us understand how to guide policies and what the actions of the federal government should be and how it is that this challenge that the President gave us comes to exist, and so we are compiling and creating a meta-analysis of those responses, so we can understand the types of responses and what they mean, and then we'll be releasing that internally first and then externally, so there can be a debate about what does this mean and where do we go from here, and what are the issues.

And so this is a very important thing that I think has had numerous contributions from federal agencies, but, also, I think, it has contributed to people's thinking about how does this compare to what we might be planning in an agency or another effort. So this is an important effort underway, and, to our knowledge, 22 of the respondents have publicly released their responses, and they are available from a variety of sites. I think HIMSS was compiling a list of all the publicly-released responses. So we'll be doing more with this.

Now, following from this, as you know, last year, we released the framework for strategic action that took the President's overall vision and unbundled it into a series of specific goals and strategy, and we are now working actively - the RFI is one part of this, but we have a variety of activities going on otherwise to define not just the big goals and strategies, but the who, what and when components, so this framework can become a full strategic plan.

We were charged by Executive Order 13335 to maintain, release and advance a strategic plan, and we have had now seven months, and, by the time we release, short of a year of numerous public reviews. We have seen more than 300 meetings and conferences that have discussed and reported on the strategic framework. We have had numerous letters and forms of communication to us giving us feedback and thoughts, policy statements from groups representing providers, consumers, health plans and others, and we feel now that that can be mixed with the significant internal dialogue within federal agencies about this to be able to make more definitive statements about how we'll move forward. So that is underway, but we do expect to address four specific issues.

One is the adoption gap, which, as you know, results from large hospitals and physicians being in a position to put in place electronic health records and small offices of doctors or hospitals being unable, and the Commonwealth Fund that recently reported that - the Commonwealth Fund Report that showed that large physician offices, with more than 50 physicians, have a 60-percent chance of having these technologies or being very close to full implementation, and small offices of less than 10 physicians have around a 12- to 15-percent chance. So there's a four-to-one gap that we think is quite significant that needs to be addressed.

Secondly, technical harmonization. I have been having a variety of meetings with standards organizations and face the conundrum of - we have numerous standards-development activities underway, which represent, I think, one of the great accomplishments in healthcare in terms of the ability to have consensus-based dialogue about how is it that we represent syntax or we have transmitted or we allow interchange to occur, but I think it is fair to say that we don't have a macro process that ties those organizational processes together into one or a finite set of tasks, so that we can understand how we develop the overall profiles that cross different standards-development activities. So we are looking at how we can do that, and I think that that shows promise for being able to develop a much clearer release process over time.

Thirdly is business-process harmonization. I think one of the most substantial things that we face in interoperability is that numerous hospitals, doctors or other participants can be HIPAA compliant, yet non-interoperable with others, because of their security policies or access or authentication or authorization policies, informed-consent policies; and states, obviously, with preempting can set various different levels, and so these business-process variations, I think, are quite significant.

An example could be one organization could say that only a password is required to get access to their information. Another could say that a biometric device must report, your thumb scanner, retinal scanner, whatever other body component you want to represent you with, but the point is that we - to allow that information to be exchanged, either the security organization has to raise their level of security, which is costly, or somehow the high-security organization needs to lower their level of security, which perhaps is risky to them, given their policies or there needs to be a trusted broker in the middle, and we are really trying to understand how that can happen, but this, to me, emerges as one of the most substantial barriers to interoperability, because I think the technical issues can be resolved and have been resolved in other industries and even in healthcare.

And, of course, we want to speak to privacy and we want to understand what is happening with your hearings and continue to listen and watch that and to summarize a variety of our own dialogues that have been held in various settings.

So this should be forthcoming. We are targeting this for this calendar year. I don't have a firm date yet, because it is the result of a series of deliberations, rather than the deliberations serving a date, but I think it is very important that we do have clarity with what needs to be done and how we need to be able to do that.

Finally, I sent a letter to you describing what we are doing with Federal Health Architectures. You know, this is the vehicle by which the federal government aligns information tasks in the health line of business, and the challenge of this has been to develop standards and business processes and contracts and various other implementations, so that we can have a more harmonized set of federal information systems.

This is important because it is not just living in an island in the federal government. This translates into how information is reported for public-health purposes, how information is reported for bioterrorism purposes, how information is reported for quality monitoring for clinical trials or for market-based adverse-events around drugs, and the Federal Health Architecture has worked for several years to try to develop plans for alignment, but we are scaling up and escalating those activities, and we are asking for your commentary and review and input on how we can integrate this more directly with what is happening in the private sector and how we can make this activity a more meaningful state-of-the-art activity, given the planning and management techniques that are available.

In the end, it is our goal to use this to streamline what it is the federal government does, not just for short-term budget savings, but so that we are not imposing new costs or burden on the private sector as each individual agency fulfills its programmatic purpose by asking for data on a one-up basis from the private sector - not that that would ever happen.

So this is where we are right now. It is a very busy time, but I think we enjoy not only the continued support of the President, but, now, Secretary Leavitt, who has been a wonderful contribution to the Department, and, already, his very positive leadership is being seen, and so I will ask you to stay tuned, and I would be happy to answer your questions in the time that I have remaining.

Thank you, Simon.

DR. COHN: David, thank you.

Comments or questions?

DR. STEINWACHS: David, you briefly sort of mentioned the challenges about having consumers exert control over their parts of the National Health Information Infrastructure. Is there a process that you are particularly undertaking trying to engage consumer groups and bring them together with the professional groups or - I'm sure you are hearing a lot from consumers around these issues.

DR. BRAILER: We are, and there are really - right now, Don, there are three classes of activities, but I don't think they were intentional. They just kind of self clustered.

First, in many of the regional initiatives around the United States, I would say the overwhelming share of them have consumers involved, and when asked - even though we have no definitive policy position, our sense is consumers should be a meaningful stakeholder being there, and so I know that there is a great deal of dialogue.

A number of regional projects have submitted responses to the RFI and told us about how consumers are involved and what the issues are that they raise, and it is not surprising that they don't see the world in the same way that the provider or the plan does and that in many of the projects they have reported that the consumers are looking for a true person-centric approach to this that would not be unlike Google or other things that allow information and process to surround the person, as opposed to the other way. So that is one.

Two, we do have a number of consumer groups who have reported to us their concerns through the RFI, and it has kind of become the common pathway by which a lot of people have given us feedback on, frankly, a wide variety of issues that go even beyond the specific questions, and we are still compiling that. I wouldn't have any way of really reporting to you anything meaningful, but there's clearly a signal coming through that this is on the radar screen of most consumer groups. They see both risks and benefits, and they are trying to make sure that our actions unlock the benefits in a way that don't create either the risks or the perception of the risks.

And, thirdly, there are a variety of conferences and meetings that we have been participating in that are organized around the consumer front where this might be one of many issues, and, there, we are really listening to hear where the dissonant messages are, but, you know, I think if I could characterize the overall message I hear it is the issue of data control and ownership, although I personally don't know how to use the word ownership here, because I don't think it means the same thing to every person, but I think therein lies the question of where do we go. It is a question that goes far beyond privacy. I think it has more to do with autonomy and trust, and, you know, I think they are asking, over time, for definitions. I consider that to be kind of one of the real social-policy questions that we are going to come up against, but, right now, we have very positive engagement from the consumer groups, who see adverse events and see the use of funds for things that are wasteful versus things that could be beneficial and really want to exert choice and have information to help them pick treatments and doctors and hospitals. So it has been a very positive experience so far for us. Thanks.

DR. STEINWACHS: Thanks, David.

DR. COHN: Yes, David, I was just going to ask - I actually thought Don was going to ask. He is our new Chair of the Subcommittee on Populations, and I'm sure that he was interested in the second bullet in your letter talking about the population dimension and -

DR. STEINWACHS: See, Simon, I relied upon you to cover for me. See? (Laughter).

DR. COHN: Well, I knew you would be interested. Yes.

So we are just curious if you had any thoughts about that or any comments.

DR. BRAILER: Well, you know, to be candid, I think one of the reasons we include this in the letter is because this is one of those other areas which is quite poorly defined, and we don't think that we are in a position to provide the definition for that; but, clearly, the concern here is that, as we move into a point-of-care - an age of modern point-of-care information technology, where clinicians have - at their fingertips to do the things that we want clinicians to do and consumers have them, the natural question becomes how do we make use of this information to change how we view the monitoring and the correction of public-health deficits.

I have no doubt that we'll find a whole new set of issues and a whole new set of lever arms to make change, and I find this to be one of the really important, long-term agendas that is only beginning to be grappled with, and so we are hoping that you can provide clarity and some definition, if not, you know, a roadmap, at least a set of the key questions that should be addressed, because, as we go through this period over the next few years - and I mean we as an industry and not we as in government - we have opportunities to do the right thing in terms of setting up the infrastructure to advance population health monitoring and improvement or we could be agnostic to it and just let it fend for itself, and I am hoping that those issues come to the table.

I was very happy to see a number of population health organizations and advocates, again, respond to the RFI and raise those questions. So I am not signaling a deficit in the responses. It is really more this is a chance for important dialogue, then I think now is the time, because I do believe over the next couple of years that decisions will be made that will potentially foreclose options that are unknown. So I hope that we can have more dialogue about that. We certainly would welcome your feedback and reports.

MR. HOUSTON: You indicated that the RFI, the input from the RFI was going to make its way into some type of document. What is the intent of that and what is the time frame and -

DR. BRAILER: Well, let me tell you the reason for that. You know, we could have asked these - put these questions out and worked with NCVHS to have people come and give testimony.

Now, I calculated, based on the number of pages of responses that we got you would have about 9,000 hours of testimony and plus there was a second issue, which I want to highlight in addition to just the time burden, and that is that we felt like one of the mistakes that we could make was to allow public posturing to take place for real disclosure deficits, and my point is not to say that what happens here is public posturing, but when we have companies that build security technologies or other technologies, we don't want brochure ware. We want to know what they can do, and many of our responses have asked for trade-secret protection, which is a quid pro quo of a full disclosure of what they can do.

As we try to assess the technical gaps that we face, I think it is very important that we understand whether or not we are building off the shelf or if we really have to go back out and do fundamental R&D to solve these problems, and we did allow trade-secret protection in this process. That is why we called it an RFI, as opposed to a variety of other mechanisms.

Now, the quid pro quo is, given that we have to give those protections to individual responses, we don't want that to coop public debate about these important issues that would happen if testimony came here. So we announced when we announced the RFI that we would release a public summary that is not showing individual responses, but compiling them. So you'll know that 17 responses said largely the same thing about security. Four said this. Three said this, but you won't really know who it is, unless that group chooses to disclose.

The timing for that is - I'll answer it in a sequential method. We are now going through the compilation. It is incredibly tedious, and we want to make sure that we really understand not just the answer, but the meaning of the answer, and it is taking a lot of dialogue as we kind of filter through that.

When that is done, this will be released internally to make sure that there is agreement that our summary is a true and accurate summary of what happens in these responses, and then it will be put out. I can't give you a date, but it is urgent that we get that out.

And when that happens, we will then start a second process of an analysis. What I am describing now is just a summary. We are not commenting. We are not polling. We are not comparing, simply summarizing. That analysis will begin as we start trying to compile down to what are the modalities and what are the actions of government that are necessary here, and we hope that that analysis will coincide with public debate, so we can have convergence on, Well, what should we do about this? What is the parts list? How do we deal with it? Who does it? What is the role of the various players?

So, you know, our hope is that that happens certainly by summer of 2005, because of the urgency of the topic.

The urgency of the topic, I'll just say as an aside, is that we are seeing already reports of significant uptake of electronic health records as a result of the warming climate on this topic - and largely by very large organizations, I might add - but every electronic health record that is adopted is, I think, almost by definition, not interoperable, and we want to make sure that we don't wait and miss an opportunity that I think will present us once, which is now, and that is why we feel significant urgency on defining the interoperability questions right up front.

DR. COHN: Jeff and then Harry, and then we'll wrap up.

MR. BLAIR: First of all, I would really like to say how pleased I was in the initial report you have shared with us and that I have been able to read through the on-line publications, as you have made presentations to other groups, in terms of what you have been able to glean out of the RFI process and the priorities and, you know. It really answers a lot of the issues that I felt needed to be addressed. So it really made me feel very comfortable with all that you are getting out of this. So I want to extend my personal compliments on that.

DR. BRAILER: Great. Thank you. On behalf of the whole team working on it, thank you.

MR. BLAIR: There's one thing that I think you are probably familiar with and I was wondering if you had any thoughts or reactions on it. There was a survey just recently about the percentages of Americans that were concerned about privacy, and, apparently, it was juxtaposed to whether or not they felt that the benefits of electronic health records or personal health records exceeded their concerns about privacy, and if you had seen this, I was wondering, you know, if you had any thoughts about what we could do to move public opinion where they could understand two things.

Number one, the benefits of electronic health records and personal health records, but, number two, I'm not sure that the public is entirely aware of the things that have been done to protect the privacy with privacy regs and all, and I was wondering if those were two areas where you were thinking they might fold into your plans.

DR. BRAILER: First, I am aware of that study, and I know that testimony was given here recently about it, and there's a great deal of discussion about it, and I am not sure that I have anything to add to the discussion that was raised.

I did have some questions about the actual survey itself, in that I am not sure that we can draw meaningful conclusions from one survey done at one point in time with one methodology, as opposed to surveys with multiple different types of questions where the overall interpretation of them is what the American public believes, but taking that study at face value, I think whether or not those numbers are exactly right or not, I think it is very clear that Americans do have concerns about privacy of their health information. This has been a consistent finding of numerous studies going back as far as I know, which - the first I saw was over 10 years ago, and I think there's a growing - and the most interesting part to me is a growing awareness that electronic systems can do something that helps Americans, and when I looked at that study, I saw, boy, that is a pretty large share of people to think electronic health records are really beneficial, such that there's a horse race going on between these issues in the minds of most people, and I think that is a remarkable testament to how people are able to see that when their doctor uses a computer - and I admit it is a relatively rough test - that something good can happen for them. They do see the electronic health record as something that is in the realm of therapeutic for them, in terms of improving health status. So I thought that was really a remarkable movement on the positive side towards that.

I think the question about privacy, to some degree, reflects the climate of the time, and I think it represents a great deal of uncertainty about what it is that will be done, and it is that survey and others that have caused us to make sure that we have a significant set of activities going on to understand and define what those issues are and how to plumb them.

I think one of the most difficult ones is how is it that we define for the American public what the relative privacy risks are of the electronic health record compared to the paper record, and I think, you know, HIPAA notwithstanding and the rules and the great investment that many providers have made in America to ensure that records are private, I don't think anyone can differentially argue that paper is more protectable than electronic information. If that is the case, then we would not see the security apparatuses we have for various other things moving away from paper for that reason, and I think any person that goes to a clinic where there is an electronic health record and sees that, for example, the front office clerk can only see the demographics of the patient and the insurance information and don't even know what else is there, let alone being able to see it or see how information can be logged, so that when someone does view information, we can keep track of that and act on that. It really, I think, raises this question of that is not even possible in the paper world, let alone feasible.

And so I think, you know, ultimately, there are two debates that are going on, and I think we are beginning to see it. One is the relative privacy of paper versus electronics, and the relative tradeoff of privacy versus quality and access in the benefits of the electronic health record.

So, to me, the question is how do we frame that debate so it is positive? How do we make sure that we minimize any concern or reality of privacy risk and how do we make sure that the public sees and does realize finally the benefits?

One of the reasons that we have been watching the Certification Commission is because there is a significant degree of variability in the security practices of electronic health records, as are there variability in the use of decision support, which are what constitutes most of the value, and we think that it is - there is a benefit towards having a minimum feature - a minimum set of features so those can be realized.

So this is really, I think, probably one of the most important discussions that is happening over time, and I think that we see the beginnings of a very healthy debate about this topic, about how we move forward. So I was glad to see that opening salvo in this whole discussion.

MR. BLAIR: Thank you.

DR. COHN: Final question, Harry?

MR. REYNOLDS: No, my question was answered.

DR. COHN: Your question was answered. Okay.

Well, David, we want to thank you for joining us. I think, as we had discussed, obviously, we are anxious to obviously consider and work on the issues that you had described, and, certainly, from my view, the Federal Health Architecture is an important issue. The full committee will begin to talk about it in June. We may begin to have conversations within the subcommittee level before that.

The issues of the - I think you described it as technical harmonization and FHA are, to me, a very closely-connected group and are something that I know that the committees have a lot of experiences working around, and, hopefully, we should be able to provide you some assistance and maybe some advice about.

DR. BRAILER: That is very helpful. I welcome it. Thank you all very much.

DR. COHN: David, thank you.

Okay. Now, we are running a little bit late. We do apologize. We'll give everybody like a five-minute stretch break, and 3:30 the subcommittees will reconvene. Populations will be downstairs. Standards and Security will be here.

Five o'clock is the NHII Workgroup.

Remember, tomorrow morning, workgroups - Workgroup on Quality starts at 8:30. Subcommittee on Privacy and Confidentiality starts at eight o'clock. The full committee reconvenes at 10 a.m., I believe, back in this room. Is that correct? Okay.

So, thank you. We will adjourn this meeting, and we will see you this evening.

(Whereupon, the Full Committee adjourned at 3:23 p.m. to reconvene the following morning.)