Transcript of the June 7, 2005 NCVHS Subcommittee on Privacy and Confidentiality Hearings

DR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I am the Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville, School of Medicine, and Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.

The NCVHS is a federal advisory committee consisting of private citizens that makes recommendations to the Secretary of HHS on matters of health-information policy.

On behalf of the subcommittee and staff, I want to welcome you to today’s hearings on the National Health Information Network.

We are being broadcast live over the internet, and I want to welcome our internet listeners as well.

We will begin with introductions of the members of the subcommittee, staff, witnesses and guests. Subcommittee members should disclose any conflicts of interest. Others need not do so.

Harry Reynolds, Blue Cross and Blue Shield of North Carolina, member of the subcommittee. No conflicts.

MS. FYFFE: Kathleen Fyffe. I work for the Office of the National Coordinator for Health Information Technology within HHS, and I am staff to this subcommittee.

MR. MC DANIEL: David McDaniel from the Department of Veterans Affairs, Veterans Health Administration, HIPAA Program Management Office.

MS. LANIK: Kathleen Lanik, Winona Health, Winona, Minnesota, Chief Health Information Management Officer.

MS. WATTENBERG: Sarah Wattenberg, staff from Substance Abuse Mental Health Services Administration and the Center for Substance Abuse Treatment.

MR. HOUSTON: John Houston, member of the committee as well as the subcommittee. I have no conflicts.

MS. BERNSTEIN: I’m Maya Bernstein. I work in the Office of the Assistant Secretary for Planning and Evaluation. I’m the privacy advocate of the department and the lead staff to this subcommittee.

This afternoon, from 3:45 to 4:15, members of the public may testify for up to five minutes on issues related to the topic of today’s hearing. Please note that there will be no public testimony tomorrow. If you want to testify, please sign up at the registration table.

Invited witnesses have been asked to limit their remarks to 15 minutes. After all of the witnesses on a panel have testified, then we will have our question-and-discussion session.

Witnesses may submit additional written testimony to Marietta Squire within two weeks of the hearing.

At this time, I would request that witnesses and guests turn off their cell phones and other electronic devices that could interrupt the hearing.

Also, because we are being broadcast over the internet and recorded for transcription, we need to remember to speak clearly and into the microphones.

The hearings today and tomorrow are the third in a series of hearings on the National Health Information Network held by this subcommittee.

At the first round of hearings in Washington on February 23^rd and 24^th of this year, we heard from experts on privacy and confidentiality as well as representatives of consumer organizations. These individuals explored the privacy and confidentiality issues raised by creating an interoperable system of comprehensive, longitudinal electronic health records.

At the second round of hearings in Chicago on March 30^th and 31^st, we heard from a range of healthcare providers to get their perspectives on these important issues.

At this third round of hearings, we will hear from representatives of and experts on integrated health systems, health plans, international health systems and regional health information organizations.

A fourth round of hearings is scheduled for August in San Francisco when we will hear from technical experts on health information network design.

Additional details about this hearing will be published in the Federal Register and on our website as soon as they have been finalized.

To introduce the topic of today’s hearing, let me briefly note that one of the anticipated benefits of a national health information network is that it will facilitate the increased use of evidence-based medicine. This is certainly a laudable goal, and, in this spirit, I would ask the following questions:

What is the evidence that developing the National Health Information Network will increase the use of evidence-based medicine?

What is the evidence that the National Health Information Network will reduce errors, increase access to health records, reduce costs and improve efficiency as its supporters claim?

In addition, how have existing health-information networks undertaken to balance the privacy and confidentiality interests of individuals with the clinical and public health interests in broader disclosure of health information?

Let me clarify that this hearing is not intended to focus on the security of electronic health records, but on the rules for inclusion, retention and dissemination of health information for healthcare purposes, as well as disclosure to third parties for non-healthcare purposes pursuant to an authorization.

These are some of the issues we hope and expect that today’s and tomorrow’s witnesses will address. These are difficult, but essential questions as we move forward with the National Health Information Network.

DR. ROTHSTEIN: At this time, I want to welcome Panel I on integrated health systems.

We have two witnesses in person and we also have a virtual witness, Mr. Harry Lukens from Lehigh Valley Hospital and Health Network.

My name is Harry Lukens. I am the Senior Vice President and Chief Information Officer at Lehigh Valley Hospital, which is in Allentown, Pennsylvania. We serve Allentown, Easton and the Bethlehem area, known as Lehigh Valley.

We are an acute-care hospital. We are about 800 beds, 1,100 physicians, 43,000 admissions, 100,000 ED(?) cases.

From a technology standpoint, we are one of just 38 hospitals named to America’s top hospitals and most wireless(?). >From a nursing perspective, we are a magnet hospital. We are a Level 1 trauma care, and, just yesterday, we were awarded the 2005 American business award for best IS organization. That is a bit of chest thumping, but I am really proud of that.

The points I would like to make today about the electronic medical record is, first of all, it is the right thing to do. It is the right thing to do for patients. It is the right thing to do for us.

I want to tell you a personal story. Two years ago, I had a heart attack and was brought into our emergency room here at Lehigh Valley. The physicians in the emergency room did not know who my cardiologist was nor did they have access to those records.

After being - released, my cardiologist did not have access to the ED records. So there is a case in point, a very personal case, where the lack of patient information could have caused a clinical issue. It did not.

Our vision here – actually, my vision is that we provide an electronic medical record for all of our physicians, all 1,100 docs, where they would share clinical data, selected data elements agreed upon by the physicians and only the clinical data elements. We are not interested in sharing patient financial information or, to a certain extent, demographic information. The system is hosted by LVH(?). It is accessible by the physicians locally, remotely and, by the end of June, through the web.

It is our goal to have 250 physicians on line by the end of December and another 250 by the end of December ‘06.

From that, Phase 2 is to begin discussions with local - other local institutions. Our long-term goal is to create an electronic medical record for residents of the Lehigh Valley. The purpose of that would be that if any patient in the valley who sees a physician in any of the institutions, that clinical information would be available to any other physician, so that if a Lehigh Valley patient presents in the St. Luke’s ED here, those docs in the ED will have access to that information. Again, it is the right thing to do.

We have been doing an electronic medical record here since 2002. WE have gotten over the interfacing issue, because I see that as one of the biggest problems in deploying an electronic medical record. That system has to talk to other systems, lab systems, radiology systems, hospital-information systems, and the data has to be two way. That takes some time to do.

Other obstacles, in my opinion, is the culture. Physicians are not easily convinced to share their patient data. While patient care is foremost in their minds, they are also businessmen, and to share all of the data about their patients could lead to losing patients to other physicians. Physicians are always concerned about not getting their patients back to them when they are referred somewhere. So the culture issue is a big one.

Another one is cost. There’s capital cost in acquiring systems - hardware, software - and it is not only one-time costs for capital, it is ongoing support issues.

We have overcome that somewhat by hosting the EMR here at the hospital IS shop so that the physicians don’t have to acquire themselves or support it. We do that and bill that cost back to them.

The National Health Service in the UK has budgeted $6.2 billion to fund an electronic medical record for the UK. We have not come anywhere close to even thinking about anything that starts with a B.

To answer your question, will an electronic medical record prevent errors? I believe it will, because your allergies and your medications and any other pertinent information that you may have forgotten to tell another doc will be available to that physician.

The system that we built here provides immature, if you will, decision support saying to the physician, Do you know this patient is on an antidepressant and you are prescribing something that could interact with that, that was the first thing we put in place. I say immature, because we continue to work on it.

To answer your question about cost, will it lower cost, not in the short term, because you are going to drive the physician’s productivity down, because - as he learns to use this.

Long term, however, I believe that productivity will come back, and, because of the ability to look at a patient’s record longitudinally, we should be able to reduce unnecessary tests, tests that the doc doesn’t know about, and, perhaps, admissions.

Our goal is to be able to do predictive medicine. As we get more and more docs and more and more patients in this database, we will be able to do the research on disease management for the Lehigh Valley. We should be able to see how many 50-year-old men who are overweight and not taking aspirin are at risk for something. Those are the things we can do that will reduce the costs, because they will reduce testing.

DR. ROTHSTEIN: Thank you very much, Mr. Lukens, and if you can stay with us, we’ll have questions for you during the panel discussion after our two witnesses who are present. Is that okay?

At that time, I want to recognize Paul Tang, a member of the subcommittee who has arrived, and, Paul, could you introduce yourself and list any possible conflicts?

DR. TANG: Sure. Paul Tang, Palo Alto Medical Foundation Center Health, member of the subcommittee and no conflict.

MS. LANIK: Well, good morning. It is a pleasure to be here this morning to testify on behalf of Winona Health in Winona, Minnesota, regarding our transition to an electronic medical record with a focus on privacy and confidentiality.

Winona Health’s journey to a paperless system continues, and it is exciting, challenging and rewarding.

Winona Health is a non-profit community-owned, integrated healthcare system with a 111-year tradition of serving the Winona regional community.

Our services address the full spectrum of the community, the community’s primary healthcare needs from birth through end of life. These services are provided in a primary-care hospital, physician clinics, assisted-living communities, a skilled nursing home and through home-care and hospice services.

Winona Health includes a 99-bed general acute hospital, a 166-bed skilled nursing facility and a medical office building, two memory-care residences, a 61-unit assisted-living complex two miles from the main campus in Winona and a primary-care physician clinic located in Rushford, Minnesota, which is about 20 minutes from Winona.

Winona Health’s vision is to create an exceptional healthcare organization designed to meet the current and emerging healthcare needs of our community, and as our mission states, Winona Health is devoted to improving the health and well being of our family, friends and neighbors.

To that end, one of Winona Health’s key initiatives was a major change in Winona Health Services, the use and continued development of a community-wide, integrated electronic medical record.

Our journey began in 2000. So we are five years into - almost five years into this now.

Winona Health made major resource commitments to ensure that technology was available to empower staff to access information, align processes and take action to improve performance at the highest possible levels.

Winona Health’s goal for the onset for integrated electronic medical record was to connect healthcare providers in the Winona area with a single system that allowed them to share patient information in a secure setting to increase the quality and safety of care provided to our patients and to improve operational efficiencies.

It was a vision by our area physicians and our hospital to have all the information about our patients in the same database. A single electronic medical-record database would then be accessible wherever the patient would be and would move with them through the healthcare system.

Winona Health, working with Cerner(?), a healthcare software company, Family Medicine of Winona, an independent clinic, and Winona Clinic, another independent clinic, began making this vision a reality, as I said, beginning in 2000.

In February of 2002, family medicine and Winona Health’s Rushford Clinic were piloting the integrated electronic medical-record software. A year later, our hospital went live with the medical-record software, and the Winona Clinic implemented the software in the spring of 2004. So, now, our Winona-area patients’ medical records are accessible to healthcare providers throughout the community.

Our mission, from the onset, was to find a way to accomplish these goals without jeopardizing the patient’s right to privacy and to be compliant with privacy regulations, both state and federal. The question we had was how do three independent entities share the same integrated clinical information system and satisfy those state and federal privacy regulations.

We declared to the community that three independent entities would function as a single organization for the purpose of maintaining an electronic medical record. We developed a joint Notice-of-Privacy Practices. We evaluated model documents from the American Hospital Association and the Minnesota Hospital Association and presented our recommendations to our Information Technology Steering Committee. We created that joint document after, of course, obtaining legal counsel from our Winona Health attorneys who specialize in HIPAA regulations and Minnesota law.

We wanted to connect the appropriate persons, knowledge and resources at the appropriate time and location to achieve the optimum health outcome for our patients.

To ensure privacy among providers, we work together – all of the entities - to develop and deploy a single privacy compact across the community. Specifically, privacy was addressed by granting privileges to view and update information based on a staff person’s role in the organization. Audit trails were developed and processes were designed to perform those audits. Winona Health policies were updated and they are aligned with the other entities, and they corresponded with the flow and availability of information and consequences were clearly articulated for violation of privacy standards among all entities.

All staff are oriented on privacy and confidentiality policies and procedures, of course, but regular audits are a mainstay of all system users.

Firewalls and fire scanning systems are in place, and users entering patient information have their own secure log in and have access only to the information they need to do their jobs.

As I said, at Winona Health, confidentiality - or Winona confidentiality policy was created using Community Memorial Hospital, Lake Winona Manor, our long-term care, Rushford Clinic, Winona Clinic and Family Medicine to provide private information - to protect the privacy of the information. This policy includes a statement that is signed from everyone from volunteers to physicians, students, staff. We have privacy officers for each entity, and that is outlined in our notice. The privacy officers from all entities meet weekly, communicate via email or phone, and, starting in July, we’ll be meeting actually on a monthly basis with all the privacy officers.

Dr. William Davis is our medical director for health information technology, and he sent a quote along for me to share today.

Electronic medical records are the ideal records for privacy and security, unlike paper records that can be accessed by anyone and easily misplaced or stolen. Electronic records are protected by user names and passwords and access to the record can be monitored and audited. Access to the records can be restricted by department or by classes of users. For example, access to mental-health records can be restricted to only physicians or to mental-health treatment professionals. When physicians access the records from remote locations, such as from home, two separate user names and passwords are required for access. Patients can feel very secure with electronic records.

The integrated electronic medical record is improving the quality of care that we provide to our patients. Because of its instantaneous documentation and accessibility to the patient information, information that clinicians need is at the point of care.

Another quote from one of our physicians said it is right there. It is hard to beat that, and electronic prescribing is a huge advantage. All patient medications are listed on the record. The interactions are documented and it avoids errors.

Our integrated electronic medical record means better healthcare services for Winona-area residents entering our emergency department. After a quick registration, all information entered from previous clinic, hospital and outpatient visits automatically is displayed on our ED computers, from allergies and medications to lab results. So our emergency department staff know they have access to a patient’s most recent health data allowing them to determine any change in the patient’s health status.

As Dr. Davis also noted, the electronic medical record allows us to get the most current patient information anywhere, any time.

The Winona health organization has several committees that evaluate and provide recommendations to our information technology steering committee regarding updates and purchases. They are instrumental in communicating the changes that will occur for users.

We have a satisfaction survey, of course, to our patients and residents and we continually ask them about our privacy in our satisfaction survey results, and when we utilize Presgane(?) for our satisfaction survey results, we came in number one to our peer group on privacy from our patients and residents.

Our information steering committee receives input from our patient IT steering committee, information systems department, health information management department, and on the patient care IT committee and the IT steering committee, all entities are represented. They are included in our privacy notice.

We have experienced better working relationships with our area clinics. It has provided better insight to each other’s needs. We now think about the entire care continuum and decide on best practices based on that. We shared educational sessions with each other as well as policies and procedures.

Our clinical information systems is allowing us for better registration process, for recording our patients’ wishes.

We anticipated that the physicians would not utilize the paperless system, but were surprised to discover that they saw efficiency and value and have embraced it and have created an evidence-based committee that is looking at, of course, the computer physician order entry. This acceptance continues to move the momentum forward to our goal of being totally paperless.

As we move from our current hybrid record to a paperless record - because our legal record is partially electronic and partially paper at this time - we continue to reorganize, restructure and reengineer our job functions. Each of the process leaders for the particular functions had to submit a cost-benefit analysis to our CEO and CFO as to the efficiencies that we are experiencing.

Every department has a dashboard that looks at performance improvement and on there we are looking at efficiencies.

Our turnaround time for chart completion, which can be a safety issue, and, of course, a continuity-of-care issue is at what we call gold standard. Last two joint commission surveys had stated they had not seen turnaround time of electronic records that efficient, and, of course, it has to do with the electronic medical signature.

We currently are reviewing what is still paper, what is working and what is not, and we are facilitating a way to migrate documents that are not electronic to the electronic format. We are looking at a proposal for low-volume scanning. We are very cautious to scan anything and everything. We are looking at what is important to scan and, again, moving paper to electronic.

Winona Health benchmarks itself in IT using the Hospital and Health Network’s most wired survey, and we were named the most wired for small rural hospitals three consecutive years. Results from that survey are used to create plans to keep Winona Health competitive.

We also received a patient safety improvement award in its innovation and patient care from the Minnesota Hospital Association. We have just recently applied to the Minnesota Quality Council, which uses the Malcolm Baldridge(?), and we received the second level of recognition there, and, just recently, we completed our national Malcolm Baldridge application.

MS. LANIK: The Baldridge is a set of criteria, seven criteria that’s used across the continuum to improve your organization. It is an award given by the President of the United States every year, and in 1999, the Healthcare Criteria were introduced along with education, and our Minnesota Council for Quality uses the same criteria, the seven criteria, and we looked at - went to our governing board to see if it would be possible to take a look at using our resources to make application to the state level first and then to the national level.

The national Baldridge application is a lengthy process. It is a 50-page application, and it takes a look at - as I said - seven criteria, everything from how we handle our strategic planning and leadership to how we measure and monitor for performance improvement, and the Minnesota Quality Council was extremely impressed with how we handle our electronic medical record and made many comments to that as well as did the joint commission, but the criteria is stringent, but we are hoping for a good response.

For those of you who have our agenda, you’ll notice that Dr. Peter Basch was scheduled now to testify, but he has been - he is unable to make this morning’s meeting.

I also want to recognize Dr. Richard Harding, a member of the subcommittee who has just come, and ask you, Richard, to identify yourself and indicate if you have any conflicts.

DR. HARDING: I am Richard Harding and I am Chairman of Neuropsychiatry at the University of South Carolina and a member of the committee and subcommittee and have no conflicts in this situation.

And, now, our next witness is Mr. David McDaniel from the Veterans Health Administration. Welcome.

MR. MC DANIEL: Thank you, Dr. Rothstein. It is always good to see a fellow Louisvillian here in Washington.

I also have a short clip, if time permits, I would like to share with you that we put on the internet for our veterans that sort of outlines the benefits of our electronic medical record, if we have time for that.

Again, my name is David McDaniel, and I am the Deputy Director of Business Development and the operational lead of the HIPAA Program Management Office in the Veterans Health Administration, one of three distinct organizations in the Department of Veterans Affairs.

VA’s mission is to serve as a principal advocate for America’s veterans and their families and to ensure that they receive the care, support and recognition they earned by service to this nation.

VHA is charged with administration of the health programs of VA through an annual budget of more than $27 billion. As such, VHA is the largest national integrated healthcare system.

VA serves a patient population of more than five million veterans, employs nearly 200,000 individuals and operates more than 1,300 sites of care, including 162 hospitals, 850 community and facility-based clinics, 135 nursing homes and domiciliaries and 206 readjustment centers.

We also are a major contributor to medical and scientific research and the nation’s largest provider of graduate medical education.

My office, the VHA HIPAA Program Management Office, was established at the direction of the Undersecretary for Health and is aligned within the chief business office. We are responsible for ensuring that VHA complies with HIPAA and providing guidance during the compliance process.

The HIPAA PMO assists offices in identifying current and future activities and initiatives that may be affected by HIPAA regulations.

In addition to VHA status as the nation’s largest healthcare provider, VHA is also, perhaps, the most scrutinized healthcare system in the United States.

We have established VHA as a model healthcare system characterized by patient-centered, high-quality, high-value healthcare through adoption of evidence-based practices, proactive approaches to patient safety and the use of advanced technologies. VHA’s success in improving quality, safety and value have allowed it to emerge as an increasingly recognized leader in healthcare while increasing its customer satisfaction.

VHA did not undertake this transformation to polish our reputation, but to create the best possible system of healthcare for our veterans. In doing so, we have blazed a trail in the field of electronic healthcare records and management. We believe that the adoption of this technology offers the possibility of ever better healthcare. The need to improve on the delivery of healthcare is always before us.

Among the alarming statistics concerning the healthcare industry today are these: One in seven hospital admissions occurs because healthcare providers do not have access to previous medical records. Twelve percent of physician orders are not executed as written. Twenty percent of laboratory tests are requested because previous results are not accessible. Ninety-eight thousand Americans die each year from medical errors.

In VHA, we are proud of the advances we have taken in technology that help to address some of these issues. VHA has had automated information systems in its medical facilities since 1985. Beginning with the decentralized hospital computer program information system, which included extensive clinical and administrative capabilities, the Veterans Health Information Systems and Technology Architecture, or VHISA, which also supported ambulatory and inpatient care, delivered significant enhancements to the original system with the release of the computerized patient record system or CPRS for clinicians in 1997.

CPRS provides a single interface for healthcare providers to review and update a patient’s medical record and to place orders, including medications, special procedures, X-rays, patient-care nursing orders, diets and laboratory tests.

CPRS is flexible enough to be implemented in a wide variety of settings or a broad spectrum of healthcare workers and provides a consistent event-driven window-style interface.

CPRS organizes and presents all relevant data on a patient in a way that directly supports clinical decision making. The comprehensive cover sheet displays timely patient-centric information, including active problems, allergies, current medications, recent laboratory results, vital signs, hospitalization and outpatient clinical history. This information is displayed immediately when a patient is selected and provides an accurate overview of the patient’s current status before clinical interventions are ordered.

CPRS capabilities include a real-time order-checking system that alerts clinicians during the ordering session that a possible problem could exist if the order is proceeded, a notification system that immediately alerts clinicians about clinically-significant events, a patient posting system displayed on every CPRS screen that alerts clinicians to issues related specifically to the patient including crisis notes, warnings, adverse reactions and advance directives, the clinical reminder system that allows care givers to track and improve preventive healthcare for patients and ensure timely clinical interventions are initiated, remote data-view functionality that allows clinicians to view a patient’s medical history from other VHA facilities to ensure the clinician has access to all clinically-relevant data available at VHA facilities.

VHISTA imaging is also operational at most VHA facilities. VHISTA imaging integrates traditional medical-chart information with medical images, including X-rays, ethology slides, video views, scanned documents, cardiology exam results, dental images and similar visual data into the patient record.

On the medication side, bar-code medication administration addresses the serious issue of inpatient medication errors by electronically validating and documenting medications for inpatients. It ensures that the patient receives the correct medication in the correct dose at the correct time and visually alerts staff when the proper parameters are not met.

Health Vet Desktop is an application framework that will host the new generation of VHA clinical applications. Care management is the first application to run on this new Healthy Vet Desktop and is an enhanced version of CPRS designed to assist healthcare providers in identifying clinical interventions that might otherwise be missed.

Care management provides an automated method for tracking followup actions and tasks for a panel of patients or for a designated period of time.

Implementation of the care management project will improve patient care by ensuring that appropriate clinical interventions are provided on a timely basis, ensuring that clinical notifications are processed on a timely basis, reducing the amount of time primary-care providers spend reviewing individual patient records and reducing the risk of erroneous data entry.

These technologies have shown their worth in the increased quality of care in VHA, which compares favorably to the best performers in the industry in 18 performance-quality indicators in areas such as breast-cancer screening, cholesterol screening, diabetes care and pneumococcal immunization.

At the same time, VHA has outscored the private sector in customer satisfaction and ambulatory care, inpatient care and pharmacy services as well as in the overall satisfaction scores.

VHA is proud of our accomplishments and we are working to share our knowledge with others who hope to improve the availability and quality of healthcare to all citizens.

However, as we move toward implementing electronic health records across all of healthcare in the United States picks up speed, we are becoming more aware that the impacts of these initiatives have on privacy and confidentiality of health records as well as the impact that privacy laws and regulations are having on the ability of healthcare providers to implement these strategies.

As someone who deals daily with the issues surrounding the privacy of health records, I can tell you that the promise of a national health information infrastructure remains a lofty and valued goal. Reaching that goal will require a concentrated effort to overcome the hurdles to sharing information both as a result of the many varied privacy laws with which we must comply, and in the daunting task of finding a means of coordinating and facilitating the progress toward that goal in an environment where everyone brings an agenda to the table.

The internal development and implementation of electronic health records and its component parts was not difficult for VHA as long as we were working internally, but looking externally, even to a partner as close to us as the Department of Defense, we began to encounter regulatory barriers to accomplishing the mission that the President had set forth for us.

For example, the need to share medical records between VHA and DOD is obvious. However, our efforts to streamline the sharing of data with DOD has met with difficulty because of the various laws designed to protect the data that each department holds and in the interpretations of those laws. Many of the laws we must consider are common to each of our departments - the Privacy Act and the HIPAA Privacy rule, for example - but each department has interpreted those laws and even the guidance provided about those laws somewhat differently. In addition, each department has its own privacy and confidentiality laws and procedures that also must be reconciled.

This struggle to understand and apply privacy legislation in partnership with other organizations is not unique to VHA and DOD. I anticipate that as a broader population begins discussing how to make information-sharing a reality, the same struggle to gain a common understanding of how to protect the privacy of a patient’s information will be a paramount issue to overcome.

VHA is approached by private non-federal entities with an invitation to participate in local or regional health-information organizations. This benefits our veteran patients who may be receiving fee-basis care or care by providers through private insurance by making healthcare information available to all concerned providers for a more holistic approach.

VHA must reconcile federal laws with local or state laws regarding privacy, particularly privacy of medical records in each state where we participate in these organizations.

VHA has facilities in all 50 states as well as Puerto Rico, Guam and the Philippines. We do not advocate the wholesale repudiation of any of our privacy laws. VHA is firmly committed to protecting the privacy of our veterans’ records, but we realize that our ability to expand on the advancement scene in the VHA healthcare system requires walking a fine line between protecting privacy by limiting access to records and the disclosure necessary to enhance the accessibility and quality of care.

The technology that would allow us to partner with other providers to enhance care is available, but we haven’t overcome the legal hurdles necessary to allow us to effectively share the data.

We look forward to a United States healthcare arena where this balance can be found where a patient’s rights to protect his individual identifiable health information and the healthcare provider’s ability to know all of the necessary information to provide high quality, well-informed care can coexist.

On behalf of VHA, I thank you for the opportunity to share our experience with you.

DR. ROTHSTEIN: Thank you, Mr. McDaniel, and I believe we will have time to see your film clip, thanks to the ability of all the witnesses on the panel to keep within their time limits, so I thank you for that.

I want to welcome Dr. Simon Cohn and invite you, Simon, to introduce yourself and indicate any possible conflicts.

DR. COHN: Okay. Well, I’m Simon Cohn, member of the subcommittee and chair of the full committee. I have no conflicts of interest.

MR. MC DANIEL: It’s telling me I can’t play the file. I’m sorry. I’ll make it available to you. It is actually on a clip that is on our internet, so it is readily available on the internet. We just don’t happen to be on the internet here. So -

I know that my fellow panel members have - or fellow subcommittee members have lots of questions for all three of you, and I have a couple of informational type questions that I want to ask to get on the record before we follow up on those, and let me begin with Mr. Lukens.

DR. ROTHSTEIN: You didn’t mention whether the physicians who entered the patient medical records into your network obtained any consent or authorization from the patients. Could you tell us about that?

MR. LUKENS: The patient signs basically two documents. One is the HIPAA - the standard HIPAA form that says this is what would happen just in the general course of treatment.

The second document is something we developed that says this data could be shared with other care givers who are treating you, and we also have something in there that says the data is not going to be shared with anyone that they do not provide consent for.

To date, we have yet to have a patient that says no, don’t release my information to other doctors.

DR. ROTHSTEIN: So tell - I am just trying to get clear this second document. The first is just a - first is the acknowledgment - right? - of the notice of privacy practices?

MR. LUKENS: And the second is a document that says that Lehigh Valley Hospital is in the process of developing a patient clinical database with information from all patients whose physicians are part of this program and that their data will become part of this clinical database, unless they specifically opt out.

We also tell them that the benefits of this is if they appear in an emergency room, the practice data will be available to the ED docs or any other physician that they may go to for treatment.

Let me ask you, Ms. Lanik, is there an opt-out procedure or something similar to that in your system as well? Suppose someone didn’t want their records shared with the other two entities?

MS. LANIK: Yes, we have that. We have the processes in place, but we lock it down. We lock down the - whatever clinic - For instance, if they are a patient at Winona Health, the hospital, and they, for some reason, don’t want Winona Clinic to see that, we have the capability of locking that down.

We have questions from patients. As soon as our notice went out, we had calls from patients in the community saying, Does this mean that you are going to sell my information? No, and that we would have - we had community gatherings where patients could come and ask about the electronic record and, of course, have information available to them about it, but, no, they have all opted to - because we have tried to do a good job of communicating to them and educating them on the fact that it is safer.

DR. ROTHSTEIN: And let me follow up by asking about your scanning operation that you are embarking on. Do the patients have any input or any role in deciding what in their medical records is scanned or what is not scanned?

MS. LANIK: At this point, we haven’t brought that into it. Right now, we are looking at the possibility of scanning. We don’t scan at this time.

MS. LANIK: So we don’t scan yet. It is one of the things that we were going to do, but it was cost prohibitive at the time, and we realized when we didn’t get the scanning function it really helped us look at what we have in our paper record, so that we weren’t scanning garbage, garbage in, garbage out.

DR. ROTHSTEIN: What about for the current electronically-developed records? Do the patients have any control over what goes into the system?

MS. LANIK: Well, they don’t have any - Let me see how I can answer that to the best of my ability. They have the right, of course, to exclude anything in their record, but, at this time, they are not part of our IT committee to look at what should be in the electronic record.

DR. ROTHSTEIN: Have any of the patients exercised that right to exclude materials?

DR. ROTHSTEIN: Okay. And for the VA, is there any content control that is vested in the veterans?

MR. MC DANIEL: When we do scanning, photographs, things like that, we do follow the requirements of the Privacy Act in getting an authorization before the photograph is taken, and they know that that is going to be used as a part of their record, but from the standpoint of it living in the electronic record versus living in a paper record, we treat it as though it is individually identifiable health information and we would protect it regardless of what avenue it was in. Whether it was in a paper version or whether it was in an electronic version, we would treat it the same way.

DR. ROTHSTEIN: Well, my question is not that so much, but whether the patient has a right to have certain information not in the record.

MR. MC DANIEL: Well, we certainly do give the patient the right to amend their record or request an amendment for the record. So if there is something in their record that they feel is erroneous or something that they do not want to have reflected in their record, they do have a right to request that, an amendment to the record to exclude that.

DR. ROTHSTEIN: And many covered entities have a policy of not granting those requests. Does the VA grant those requests?

MR. MC DANIEL: Not that I know of that we would have a hard-and-fast rule that says that we do not. Certainly, we want the medical record to be as accurate as possible, and if there are things in the record that are not correct or not appropriate, we would not want those in the record anyway, and if the patient brings those to our attention with an amendment request, we would likely grant that.

With regards to CPRS - and I guess, as well, as your other clinical systems - are they facility-based at this point or are they deployed as an enterprise solution where information contained in it or is available between the different VA facilities right now?

MR. MC DANIEL: There is a capability to dial into another facility and get information from another facility, but it is not a single solution. It’s - they have the capability if, for example, we know that a veteran is seen in two different hospitals, distinctly - which happens quite often with Snowbird Veterans who may live in the north part of the year and in the south part of the year - they would be able to access information from that other VA medical center, but the CPRS system itself would be exclusive to those facilities that would just have access.

MR. HOUSTON: And is there some type of MPI that enables one VA facility to know that that same individual has been seen at other facilities or do they just need to know where to go for it based upon a patient’s -

I was interested that you are, obviously - like a lot of other entities - are wrestling with the variety of privacy laws that you must comply with, and I guess two questions.

One, have you figured - what is your process right now to try to evaluate the different federal and state laws and how they interplay?

And, then, secondly, do you have any strategies, right now, as to how you think you are going to try to sort of weave everything together into a - you know, so you have a system that is transparent and, you know, can -

MR. MC DANIEL: Right. Our strategy with implementation of the Privacy Rule of HIPAA, because we already had the requirements of the Privacy Act as a federal agency, was to create for our employees at the facility level a privacy program that, to them, was transparent. Their policies and procedures, their business processes and requirements weren’t specific to HIPAA or weren’t specific to the Privacy Act, but were specific to our privacy program, and we tried to encompass all of those privacy requirements and resolve any conflicts or issues related to folding those together -

MR. MC DANIEL: – before we put that together. We did not deal with state laws because we operate on federal property, and we are not required to adhere to state law, except where that state law impacts us when we are doing a business relationship with somebody who does have to comply with that state law. For example, a medical center in the community, we couldn’t cause them to break a state law in order to satisfy our business needs.

So, up to this point - up to the point where we are now being asked to be considered as a part of that network of programs sharing information, have we really started to think about, okay, how does a state law fit into what we already know from the Privacy Act and from the HIPAA Privacy Rule and how do we manage that?

To answer your question as to what our strategy is, we are currently discussing with our general counsel on some of the requests that we have gotten to participate in these sharing groups and trying to determine how we do go forward, because once we have made the decision to do that, we have that decision made times 50, because we have to then address each one of the states that might ask us to do that as well.

MR. MC DANIEL: We are still trying to get our arms around that from the standpoint of how we incorporate the state-law implications into what we already have in the federal laws.

MR. HOUSTON: Is there any time frame in which you think general counsel is going to - or you are going to have some type of solution?

MR. MC DANIEL: It is a primary discussion that we are having with them right now. It is one of the top things on our list to discuss because we have gotten those requests and we are trying to be responsive to those.

MR. HOUSTON: I would be very interested. I don’t know what the capability is to - once that decision is made, but I would really love to understand what the strategies are. I think it is really important to - you know -organizations that are in multiple states - or are going to ultimately be in multiple states. So should try to understand what that strategy is.

MS. WATTENBERG: Yes. Since you are a federal agency and I know that the VA provides a lot of substance-abuse services, do you integrate compliance with the federal confidentiality regulations for substance-abuse records?

MR. MC DANIEL: We do, and, in addition to that, we also have to consider the Title 38 regulations that are imposed on us as well. So, for example, very sensitive issues like HIV and things like that, we have our own regulations that we have to comply with. So there are a quite a number of those federal components that are incorporated into our privacy program today.

MS. WATTENBERG: So your systems have already sort of figured out where Part 2 is relevant, where HIPAA is relevant and they can accommodate both of those?

MR. MC DANIEL: Well, it is actually built more so on our business processes and how we use and disclose protected health information, not so much on the system itself.

MS. WATTENBERG: I see. So you do it before information enters the system via the consent process for Part 2 or - Okay. That is interesting.

Hypothetically, if - let me describe a scenario to you. If an 18-year-old person on active duty, a woman, has a pregnancy which either went full term or was terminated and that person eventually becomes a veteran and is in your record system, if that individual wanted not to disclose the fact or let anyone know that she had a history of a pregnancy or a termination of that pregnancy, how would the VA system be able to handle that or not handle that? That is a hypothetical.

MR. MC DANIEL: I think probably, based on my understanding of how we receive information from the Department of Defense, because that record would have been created by the Department of Defense, the request to redact that information would have to be made to the Department of Defense and whatever record that we got from them would be the record that we would have on that individual. That wouldn’t say that we couldn’t redact that information, if there was an appropriate reason and need for that information to be redacted. Once we had that record, they could make an amendment request and it would be determined, at that point, as to whether or not the information would be taken out of the record.

DR. ROTHSTEIN: But suppose you didn’t get it from the Department of Defense. Suppose you got it from this woman’s private healthcare provider?

MR. MC DANIEL: I think, again, the scenario would be the same. Either she would choose to have that other physician redact the information before we received it or she would make an amendment request to us and it would be determined at that point whether it would be taken out of the record.

Okay. Yes. If you’ll stand by for a second, Harry, we’ve got a - Maya wanted to know how that same request would be handled in the other two systems. So, Ms. Lanik.

For us, if it is - As I stated earlier, we have four different - our org security is broken down in four different parts and one of those are the restricted patient, as I stated.

If it was a woman who came in and was at the Winona Clinic, for instance, and then was a patient at the hospital, and that information was - the hospital - they didn’t want that information from the hospital to be seen at the Winona Clinic, we can restrict that.

However, her care providers, her physician and the clinicians taking care of her would have that information at our organization.

MS. LANIK: Not from the physician that is taking care of her, no, not currently the way it is set up right now. She could restrict - Let me back up just one moment. At our organization, Winona Health, at the hospital, if a patient came in and there was information from the Winona Clinic - at the Winona Clinic that she did not want present the hospital record, that could be restricted and vice versa. Does that answer it?

DR. ROTHSTEIN: I’m not sure. I suppose the question is she comes in now for a sprained ankle and who, taking care of her for the sprained ankle, gets access to this information?

MS. LANIK: Right. If she is a Winona Clinic patient being seen by a physician there who has privileges at our hospital, when she becomes a patient with us, she could, in fact, say to our hospital, I don’t want the Community Memorial Hospital to see the records from Winona Clinic. We can lock that down.

MS. BERNSTEIN: So to whom would they be restricted? Who would have no access to them?

MS. LANIK: Only the physician that is taking care of her and the care givers. It is by user. We define access by important - for information that you need to do your job. So the access to it would be only people that had access to taking care of that patient while they were there.

MR. LUKENS: At Lehigh Valley, we follow the same process. The physician or the care giver providing care has access to all the medical records. Physicians outside of that care, we would not provide that data. We would basically lock it down.

We have similar situations with psychiatry patients, but I do want to emphasize that the care giver would have access to all medical-record information.

DR. ROTHSTEIN: So that the physician treating this hypothetical woman for the sprained ankle would have access to the reproductive history?

MR. LUKENS: That is correct. We follow the same idea that the physician needs all the information to treat a patient.

DR. ROTHSTEIN: Do you think someone treating a sprained ankle would need that information?

MR. LUKENS: I believe a physician needs all the information to treat a patient. There could be - let’s say blood studies that were done when she was pregnant or some type of ultrasound studies that he may want to reference. I don’t know, but I do know our philosophy is all the medical-record data for the treating physician.

Thanks to all of you for your testimony. Some of us are on other committees, so the more we can learn about what you are doing in electronic health records is a plus.

I heard a number of statements - share clinical data that was agreed upon by physicians, clinically relevant, easy to use, accessible - and then when you think of the individual patient, I guess a couple of things.

One - and all three of you can respond - is the data accessible to the care giver or is it required that the care giver look at it?

Secondly, how do we really, in the end, explain to the patient - And I just finished a 10-day inpatient stay, so I am your worst nightmare - (laughter) - from the standpoint of being on the other end. How do you truly explain to the patient what your medical record is, what you are going to do with it, who has it? Because I can’t answer any of those out of my current stay within a large teaching institution. I know we signed something just as they put me out - (laughter) - but I can’t tell you what it was, and I sure can’t tell you how it worked.

So, no, I mean, our job is to look at the privacy and the understanding of the person, not so much, you know, exactly what the doctor thinks or the institution thinks or the institution is made up of 15 entities rather than one you happen to be a resident in at the time.

So how do we really, as a country, really explain to the person what is going on and when they sign something, yes, they could get to the record, but how many really even know there is an electronic record?

And so how do you help us view it from that person’s standpoint and from the standpoint of - You know, there’s discussion in the country now about certification of systems. Well, should there be something - certification of privacy, and if you have an electronic medical record you have to go through - you know, you have all the quality - you know, CAQH, everything else. I don’t know, but -

So I would love your comments, because you have all done a great job and you’ve got a lot of data, but, now, there is information and, now, there is the person, and so how does it work?

I am only speaking for Lehigh Valley here. We do not do a good job of explaining to a patient pretty much what they are signing. I mean, we answer their questions. We give them the basics, but we do not give them an EMR 101 course, just as when we had a paper medical record, we didn’t necessarily go through what would happen with that. It is a flaw in the system. We believe that the patient understands all the buzz words and all the access, and, in reality, they don’t.

I don’t know the answer to this. I mean, I don’t believe the answer is yet another form. I don’t know - and I also don’t know how other places handle this, but I know we here do not do a good job of that.

One of the things that we have been working on since 2003 when we implemented the Privacy Rule of HIPAA has been to try to not only see HIPAA as a legislative requirement, but also see it as a part of how we treat our patient and try to help our organization understand that protecting the information of an individual veteran is just as much a part of treating that person and caring for them as giving them a shot or giving them a brace to walk on, and I think that that is not something that you change overnight. You don’t move culture overnight, but I think that is something that the whole industry needs to embrace is that as we broaden and become more electronic and as we become more capable of making the information accessible, we also help our providers and help our organizations understand that that information needs to now become a part of the treatment process. How we manage that, how we use it and disclose it and even down to how we help our patients understand how it is maintained and used is a critical part of that treatment process. I think that is probably one of our greater challenges to becoming more able to share information broadly is how do we change the culture that goes along with that, not just putting an electronic medical record in place, but making all of the things that go around that happen.

MS. LANIK: What I was going to say, too, that is a very good question and it is fair, and I think it is one of those opportunities for improvement for all healthcare organizations, whether electronic or not.

When we looked at implementing the Privacy Notice, the samples that we got from the Minnesota Hospital Association and the American Hospital Association were almost 50 pages long, and to think that patients would be able to understand that and read that and - it was just impossible. We got ours down to just a few pages, but it is small print - (laughter) - and we tried to put our pledge to them right out front in big, bold letters that our pledge was to keep their information private.

But I think that is a really fair question. It is one that I’ll take back with me, because what we try to do in our rounding for our patients - We do rounding. Our managers do rounding on patients and ask them about privacy and we have a one-on-one encounter when patients come into our department, for instance, and ask for their information, their health information, What is in my record? So that happens. We do things locally in our paper, on our website about what the electronic medical record is all about, what is in there.

Just recently, we hosted the Chamber of Commerce from Winona that came. We had received an award from them on our electronic medical record, but, again, when we showed them an example, one of the Chamber members said, How do you ever get that out of there, then, if I am in a car accident in another state? And so we could say to them, Well, we are not connected to that state, but that information can be printed, faxed, called, and that calmed the patient to understand, so, again, what is in there.

I think that is a great question, because we - as I said, we try to do that with - we have posters throughout our organization, talk about what the electronic medical record is, what is in your health record, what your rights are. Every patient gets a booklet. I’m sure you got it, you know, 50,000 pages in there to try to understand, and we have social workers that go around to try to help people understand those things, but it is a very fair question and one that I think we need to work on.

DR. TANG: This is a followup of Mr. Houston’s question in terms of particularly with the VA having to work in 50 states and territories. You explained how the internal movement of information can be on federal property, so you would only have to obey the federal laws.

What about patients’ access to the information? So on paper, whether you only have to follow the HIPAA guidelines?

For example, in the State of California, although HIPAA guarantees that a patient can walk in and get their paper record of all the transactions, if they want to have access to electronically, we have laws that prevent the disclosure electronically to them in four different categories, which includes abnormal pathology results, which, for us, one of the big disappointments, it includes PAP smears. So we actually have to block our electronic access to patients of their own results, just because of California laws. Multiply that by 50. Is that something you also are protected as a federal agency and not have to follow all these state laws or do you have to follow them for -

MR. MC DANIEL: As I understand it, because we are a federal agency and because we operate on federal property, we do not have to abide by state laws. However, where we have been able to meet the needs of a patient request - For example, if they wanted to see their record electronically, we would make that available to them electronically. If they wanted it in paper form, to the degree feasible, we try to accommodate our veterans.

And from the standpoint of redacting information or taking out information, that would really be not something that would necessarily be a standard practice in any of our facilities, if they requested a record.

DR. TANG: Maybe the other groups can talk about when a patient from a different state needs access to their records.

MS. LANIK: - and you’re talking electronically? We don’t do that at this time. It’s a signed consent per Minnesota state law and we give it to them in paper.

DR. HARDING: We were in Chicago a couple of months ago and a ob/gyn doctor from Chillicothe, Ohio, or something like that talked to us about - it’s a mega group in Chillicothe, of ob/gyn only, and he said that there were two problems. One was the issue of that they did not have their system - they are a paperless system - did not have their system on the internet. It is a self-contained, intranet, I guess, and the other was backup for the electronic medical record in that he said their system would go down weekly and for periods of an hour or two hours, they did not have access to the material, the health information. Have you all had that? What is your backup system in a paperless - you are moving towards a paperless, I know you were saying, and I didn’t - I came late for the Lehigh Hospital, but I assume that they are working on a paperless system. What is the backup in an acute-care hospital for a paperless medical system?

MR. LUKENS: We, at Lehigh Valley, have what is known in the business as a hot backup which is a replication of the data that occurs real time, so that if our primary processor dies the secondary processor kicks in, and it kicks in automatically, and we have the same redundancy in our network. Network - one node goes down, there’s a second node that picks it up.

MR. LUKENS: No, I think I would be looking for work if that happened. We are - our up time is 99.8 percent here on average for systems. So we could not survive with an hour down time every week, as you said.

MS. LANIK: T he same with us. We have never had an interruption in our information. We have an ASP model and fiber-optic cable.

MR. MC DANIEL: All of our facilities have disaster-recovery plans and backup plans that would allow them to reinstate very rapidly, and that is different for each hospital, because each hospital may have particular needs or particular risks that they want to address. So the means of recovery would be different by facility.

DR. HARDING: And is it also true that all of you don’t have hookup to the internet?

DR. HARDING: You have to dial into get information from another VA to that VA or another hospital.

MR. LUKENS: Lehigh Valley does not yet have internet access to our electronic medical records. We are in a pilot mode with our vendor, Next Gen(?), to provide what is known as Next M.D.(?), which would give the physicians internet access, but I really - the bugs I have seen in that, it is probably six months away.

DR. TANG: One question, Ms. Lanik, when you mentioned you using ASP model, who owns the software and the hardware that it is running on? Is it Winona?

DR. TANG: Okay. So the question there relates to HIPAA. As you know, Cerner is not a covered entity, so you are a covered entity, presumably, that has a business associate agreement with Cerner?

DR. TANG: There has been examples, especially around the dot-com era, when people did use the ASP model. In the contracts, the company that ran the information system owned the data that was in the system.

DR. TANG: So if the company were acquired or merged or went bankrupt, you would - they have a responsibility to destroy the data?

MR. REYNOLDS: Yes, the idea of having hot spares(?), whether it is data or processors or you mentioned the lines in where you would have to have multiple paths into your hospital so if a backhoe got the front yard, you’d still be okay in the back yard, which all of us have to deal with, that’s gotta add - I guess from the tone of your voices, you feel that is mandatory if you are having a true electronic medical record that is being involved in care.

As we move to the smaller practitioners and we move to the smaller environments where that has gotta be a more prohibitive cost at those levels than it is at the larger ones, so that is something we are always trying to keep in mind, too, is how can you proliferate the model? The model amongst the big players usually can be somewhat self sustained and somewhat justified.

How do you see the model transferring to the smaller clinicians? Do you see - ASP was mentioned. Do you see that the larger facilities house that for them so that they get access - they use your backup and other things or do you see this actually being proliferated into the smaller environments?

MR. LUKENS: I don’t know how the small two- and four-physician practice can afford all of this, not only from a hard-dollar acquisition, but from the ongoing support. If you have backup processors, you gotta have somebody that knows what they are doing with them.

I believe the ASP model will be the one that will provide the smaller practices with this type of technology, and, in our case, we would be the host for those software and databases. I don’t know how else it can work, besides an ASP model. Perhaps the ASP would be the vendor, like Cerner or Next Gen or IDX, but I believe it has to be an ASP model.

MS. LANIK: And that is truly the only way we could afford it. I mean, even then, we spend 41 percent of our capital budget on information technology, but that is with the ASP model because we are fairly small, a 99-bed hospital.

DR. VIGILANTE: Yes, just actually a followup on Harry’s first question, and it is a bit rhetorical in some way, but I just wonder, you know, it is kind of hard to explain to folks what an EHR is if you are not one of the true believers, and I just wonder if, in fact, that understanding only comes through use and whether PHRs, personal health records, are actually the way that people really understand what an EHR is and it is engaging folks at that level that really produces the kind of depth of understanding you need to have in order to wrap your head around it, so that - sort of observation and just - comments.

And, secondly, do any of the folks here have a personal health record to compliment or a personal health dimension of your electronic health record? I know VA does.

MS. LANIK: It is called Winona Health Online, and that is how we initially started in 2000, become an alpha site for that. Just a few problems along the way and so we are back in the infancy stages again, but that is another good way to answer your question, too, on getting the public involved and the community involved in understanding what is in their health record, but we are, right now, testing that. The electronic - it is called Winona Health Online for the public health record, and we are looking at working with diabetes management in the community.

MS. LANIK: It started and it was - Again, in a small community, to get people to sign up, it was - What is that? You know, I’m a little leery, and, of course, we had some technical problems as well, and that spurred us to look at - we were looking at vendors at the time - to look at moving to electronic medical record, and then that is why we eventually partnered with Cerner, because - they actually found us because we were considered so wired as a small community - to look at the public health record.

So that we had to put aside, and, now, we have been working on all this while, but we are really in the testing phases again of looking at a true public health record. It’s been -

DR. HARDING: Is the vision of the personal health record to have - what - are there restricted domains that a person will not have the right to you or is it going to be fairly comprehensive?

MS. LANIK: That is a huge long-term goal that would be a comprehensive. Yes, right now, they take a little test and - as far as their health needs and we have done some testing and back and forth on diabetes - diabetic patients, for instance, doing their testing and getting their lab values back and certain things like that we are working with. It is not perfected yet. We have done some great things with it, but we are not ready to - you know - blow our horn totally about what we are doing yet with Winona Health Online, but that is a great question, because it helps expand the information to the patient and the community.

MR. MC DANIEL: As we are working through the My Health Vet Program, we - I Can Cope Vet - we also help the veteran better understand the concept of the electronic medical record. If they have their own personal record that they can maintain and that they can keep information in, and that information is theirs, they put it in there and it is theirs to manage and monitor, but I think you are absolutely right. We have to get to the point where we can help them better understand this migration to an electronic record and that doesn’t just come from the vapor. It has to come from our efforts in helping them.

MR. LUKENS: We have started with something we are calling Physician on Line where a patient can communicate with their doc electronically. The physician or the practice then can patch back to the patient lab results, scrip refills, but as far as building - having a patient build their own health record, we are not there yet.

I do believe that is one of the better ways to educate patients because as they start to build their own record, we can then supplement that record with the information that we have in the EMR.

DR. ROTHSTEIN: I have two questions that I would like to ask our panel members. The first one is suppose there were a breech of your security somehow, say a rogue employee created a file and took it home and did who knows what with it or perhaps some business associate suffered a hacking incident or whatever, tell me about your policies to notify the patients that there has been a security breech. Ms. Lanik.

MS. LANIK: Well, at this time, our policies don’t cover alerting the patient of the breech, unless the patient brings it to us that they feel that it has been breeched.

DR. ROTHSTEIN: But you know that it’s happened. You have discovered that there’s been this breech, and you currently do not have a policy to notify all -

MS. LANIK: For all breeches. For instance, we have had patients say they feel there might have been a breech, whether it is electronic or paper, if it is spoken or what have you, and then we have policies in place how we handle that and get back to the patient if there’s a complaint or a concern about the privacy of their information.

As far as the breeches that - as I said, we audit the medical record at all times, and most of the breeches that we are seeing have to do with our staff feeling that they can look at their own medical record on line, their electronic medical record, and so then we have - of course, we take it right to the Human Resources Department. Those are the things that we are seeing.

We have had a breech with a - an attempted breech for one of - a patient death, for instance, where - not from our hospital, from one of the clinics that they had gone into a record that they did not have access to, and it did end up in termination and in termination. The patient was deceased, but they had no right to be in the medical record.

MS. LANIK: And it is after a thorough investigation, but right now, I guess that is a very fair question, and I think we have to - of course, we have disclosures for when there’s errors at their medical care. We don’t currently have a disclosure policy for when there is a breech of their electronic information.

MR. LUKENS: We, probably, like everybody else, run intrusion detection software on our network that we would probably see the breech, and, like Winona, we have only dealt in the past with folks who believe that the records have been compromised, and there have been those occasions when we have seen that and it has been an employee looking at their neighbor’s record or whatever. In Lehigh Hospital, that is a termination offense, and we have terminated people because of that.

Our policy is to contact patients and let them know if we believe their records have been compromised. We have not had to operationalize that and I am not sure how that would really work if one of our major databases were hacked, because there would be literally tens of thousands of patients, potentially, in there.

DR. ROTHSTEIN: I understand. There is a model in the financial services field in California for sure.

MR. MC DANIEL: We aggressively investigate any instances where we believe that our information has been breeched. If it is an employee issue where the employee has used or disclosed information that is inappropriate that is not within the minimum necessary standard, we would pursue that with that employee and we would offer sanctions up to termination if that were the case.

With our business associates and our trading partners, certainly, if we find that there’s been a breech, we try to mitigate that. We actually did have a breech where our clearinghouse accidentally sent several patients’ information in one envelope, and the patient that got the envelope recognized that there was other patient information in the envelope, brought it to the VA Medical Center and not only did we formally apologize to them, we contacted all of the other veterans whose information had been disclosed and we provided them with insurance coverage for the protection of their privacy and gave them access to the three major credit bureaus and wrote contact letters for them. We tried to make it as easy as possible, so that they didn’t suffer any damages as a result of that.

DR. ROTHSTEIN: Okay. We’ve got two followups on the breech issue. Mr. Houston.

MR. HOUSTON: I’ve heard Mr. Lukens’ speak to what the actual - the fact that they have terminated an individual -

MR. HOUSTON: I’m sorry. I heard you speak specifically to the fact that you have terminated employees for inappropriately looking at patient records. Do each of you have a formal policy as to what type of corrective action is based upon an employee’s inappropriately revealing a patient’s record, and, if so, is that something you can share?

MR. LUKENS: We do have such a policy. I don’t see why we couldn’t share it with you.

MR. LUKENS: Just want to make sure I clear that with the folks here, but it is really pretty simple. We have auditing software that watches what I say to people. As soon as you log on, we watch where you go. That includes physicians. The process for sanctioning a physician lays with the medical staff leadership because only a fraction of our physicians here are employed by the hospital. The non-physician is handled by our HR policies and it is very clear. I have no reason not to share that with you.

MS. LANIK: Our policy, as I said, with also the other two privately-owned clinics, is the same, and it is pretty strict criteria, but if an employee - it is pretty clear in the policy that if an employee had no right to be in that record for any reason, they are terminated, and it is, of course, a thorough investigation first. If they were in there for - but if they have no right to be in there or haven’t created the partnership, they are terminated.

MR. MC DANIEL: We do have a standard policy for sanctions against employees, and we also have guidelines that map to specific types of infractions as the suggested application of that sanctions policy.

DR. TANG: Mr. McDaniel, you mentioned in that breech that you - where you shared additional patient information in one patient’s envelope and you offered them - I think you said insurance for privacy. Maybe you could explain that a little bit.

MR. MC DANIEL: Sure. There are insurances that will protect a person’s identity - it is an identity insurance, essentially - that if there is an inappropriate use of that person’s identity for a period of a year or however long you purchase this insurance coverage, it will actually help pay to mitigate any damages against that person.

DR. TANG: And that is financial only? In other words if someone did identity theft and got a credit card under your name and used that versus, let’s say, somebody obtained some other - let’s say there were damages that you could quantify to release of private - you know - private health -

MR. MC DANIEL: I think that would depend on the policy and who you were - you know - which company you were getting it from. It probably is different from one to the next.

DR. ROTHSTEIN: I have another question for Ms. Lanik, a special question for you.

Since 1983, Minnesota has a state law that prohibits employers from requesting and healthcare providers from disclosing information about an individual in the employment context that is not job related. So suppose you have an individual who applies for a job with Target and wants to be a manager at the corporate headquarters or wants to drive a truck for 3M or some Minnesota employer and the authorization that your hospital system gets says send me all the records relevant to whether Joe Smith can work in the office, how do you deal with that request? In other words, how do you send out only the information that is relevant to whether they can do that job?

MS. LANIK: We talk to the patient, you know, as far as exactly what they need, but we don’t give our information that they have restricted.

DR. ROTHSTEIN: And so the patient is now going to determine what is medically necessary?

MS. LANIK: I guess I am not understanding your question as far as the medical necessity. For them to do the job at Target?

DR. ROTHSTEIN: Or drive a truck for 3M or fly a plane for Northwest Airlines or -

MR. MC DANIEL: Suppose they have a seizure disorder and they don’t want that to be shared -

DR. ROTHSTEIN: Correct. Right. So in that situation, you are vesting the responsibility with a patient to disclose what they want?

MS. LANIK: Actually, we get a request like that, if we are not allowed to - if we are unable to give the information, we just tell the company we can’t give that information. Is that what you are asking?

DR. ROTHSTEIN: Well, I’m trying to figure out how you respond to a request to restrict information when it is not clear on its face what the information that you are supposed to give out is. If you give out everything, it’s - you know - they can’t - it is illegal to request everything.

DR. ROTHSTEIN: Well, maybe Mr. Lukens can help us, because everywhere it is the law that - the same thing with regard to current employees. It is only different in California and Minnesota with regard to conditional offerees. So you get a request. You want to check up on a - an employer wants to check to see whether a current employee is still capable of performing the job at Lehigh Dairies, and you get a request that says, Tell us whether Joe Smith can still drive one of our dairy trucks. What medical information do you send to the employer?

MR. LUKENS: Do I also get an authorization from the patient to release their information?

DR. ROTHSTEIN: Yes, the authorization says you are hereby authorized to release all information relevant to whether I can drive the truck.

DR. ROTHSTEIN: Correct. The patient has signed it. Yes, so how do you decide what is relevant and what technology do you use to screen out what is irrelevant?

MR. LUKENS: To be honest, I don’t know the answer to that. I don’t know how frequently we receive something that is that restrictive or that requires carving out the records, because I am not sure we could even speak to that, unless there was something glaring like - as you said - seizures. So I really don’t know how we would handle that.

DR. VIGILANTE: What if there was a request form that had specific conditions to check off, would that make it easier to answer the - because that is usually the way it happens.

DR. VIGILANTE: Usually, there is a form that comes that says, You have these disorders that are - you know - that -

DR. ROTHSTEIN: Well, those are when it is a government-mandated - whether it is ICC or FAA, they have specific forms, but other employers don’t - they just sort of request stuff. The fact of the matter is that healthcare providers send everything as a matter of course, because it is too expensive to do it otherwise.

DR. ROTHSTEIN: Okay. Let’s suppose you have a form that someone comes to you and says, We want to know about 15 things and one of which is whether they have orthopedic problems or vision problems or whatever. Do you have a way of searching the electronic record to disclose only that information and not disclose other information?

MS. LANIK: What we have done in the past - how we handle a request like that is we have got a policy that says what is the minimum necessary to give out for any record. So if we had a request and that particular person had been in the emergency room, for instance, we wouldn’t give them every nursing, every lab value. We would give them the summary of what we call our T sheet, which is just a quick summary. If they had been in the hospital and they had a surgical procedure, we would give a history and physical on the operative note only. So we have specific things that we do on all release. I guess, to answer your question on any release request that came in it is minimal necessary. We have a policy that outlines what that would be for that particular encounter. Does that help? And if the patient has signed - Sometimes, we do call the patient to have them understand. Do you understand what you have signed here that this employer is asking -

DR. ROTHSTEIN: Well, it wouldn’t be - the request wouldn’t be encounter based because no one would know what the encounter was beforehand. So they - you have an authorization that says, Send me all the orthopedic and opthomologic records of Joe Smith. Now, do you have any software that let’s you punch two buttons and only send that stuff?

DR. ROTHSTEIN: No, could you develop - could you imagine developing that sort of software? Do you think your system would -

MR. LUKENS: I think the software could be developed. The problem would be in the acquisition of the data. In your example, assuming the software was there and the data was correctly acquired, you would be able to go in and look under, let’s say, a hospital service or for orthopedists and pull out encounters that are attached to that.

MS. BERNSTEIN: Yes, Mark, I think part of the problem with the issue that you are trying to deal with is that the coding, as you said at the end, is probably the key. We heard in the last hearing from, for example, a dentist who was saying that there is information about erosion of the teeth that will tell you that a patient is bulemic. Is that a mental-health record? Is it a dental record? You know, what kind of record is that? And it would depend on how you coded that or where that person was treated and so forth whether that fell into one category or the other, I think.

DR. ROTHSTEIN: Well, which is sort of a medical determination in the first place, but the answer is that even if you had a medical determination and wanted to comply with it, and this is not a fault of your system, it is - the fact of the matter is we just don’t have that capacity now, and the question is whether it is - the cost of doing that is justified by the privacy protection that would be on the outside of it.

Well, I want to thank all three members of our panel for very important testimony, and I am sure you could judge by the feeding frenzy during the question period how interested and concerned we are about these issues and how we are thirsting for knowledge, and your testimony has been very helpful.

MR. REYNOLDS: No, each of you - as we see everything coming out of this building and Washington in general, interoperability, and internet is always a key word, and each of you - if I recall your testimony precisely, each of you stayed away from the internet. As you - so if true interoperability - if regional interoperability has to include the internet, because private networks aren’t going to get it, and national definitely involves the internet, you are going to have to do some - Do you see - You, obviously, decided not to use the internet. So was it more of a firewall, a security, a privacy or all the above?

MR. MC DANIEL: I think for us we probably would have to really look long and hard at the security implications of a solution like that, and given that the internet is so freely accessible by so many people, many of whom would be more than happy to cause harm to our patients by using the information that would be housed on the internet that it would be - there would have to be some sort of ironclad solution that would provide us with the kind of confidence that we could use the internet or protected health information in a way that we were confident that it was not going to be taken and misused, and I think that that is not something that we have seen today.

Well, thank you again, and we are going to take a recess until 11:05, and then we’ll have Panel II on Health Systems.

DR. ROTHSTEIN: Good morning. We are back on the record, and Panel II on Health Systems is here to further educate the members of the subcommittee, and without any objection, I would like to proceed in the order listed in the schedule and begin with Mr. McBride. Welcome.

First, I would like to thank the committee for allowing Availity the opportunity to share our experience, thoughts and needs regarding privacy and health information technology, specifically with respect to the creation and deployment of a national health information infrastructure.

My name is John McBride. I am a computer scientist and currently serve as the chief technology officer for Availity.

I have worked across a broad spectrum in healthcare IT from clinical IT developing electronic medical records for emergency department information systems to global provider collaboration portals to my current position with provider/payer connectivity and collaborative applications.

Some of what I will say here today has thankfully been addressed in what I feel is a very positive way according to the press release yesterday from the Department of Health and Human Services. My company and I were one of the many who responded to the NNRFI, and the responses so far from the department have been very encouraging.

Briefly, I would like to give some background on Availity for context. Availity is an independent joint venture created in Florida in 2001 between two large health plans, Humana and Blue Cross Blue Shield of Florida.

One of the purposes for the creation of Availity was to provide a utilitarian internet solution to the looming HIPAA compliance deadline in the State of Florida. By collaborating with others and consolidating provider portals, via a geographically redundant ASP model, provider workflow could be improved and healthcare costs could be reduced.

Eligibility and benefits, authorizations, claim statuses and, of course, claim submissions and - advice were available securely on line, and all of this was provided at no cost to the providers, which was another appreciated efficiency.

In addition to our payer-owners, today, Availity has connectivity to over 1,000 payers nationwide, including real time connectivity to a total of 10 payers that represent approximately 58 percent of the private payer market in Florida.

By offering functionality via these payer connections to providers across the state of Florida, Availity services over 90,000 portal users and 400 vendor partners. This has resulted in 14,500 out of 15,000 provider sites, using Availity in Florida in some way, shape or form, which is over 90 percent of provider sites in the state representing approximately 40,000 providers.

On behalf of our users, Availity submits over eight million HIPAA-compliant transactions to payers each month and is on a run rate to exceed 100 million HIPAA-compliant transactions in 2005.

The formation of an NHIN, national healthcare information network, could be based upon this and other proven methodologies. The NHIN will likely evolve from existing networks and technologies and will not be revolutionary or installed in a massive system implementation. As such, the evolution of the NHIN should be incremental in a phased and structured approach. The NHIN must be open, not only in standards, but in participation by all industry constituents. NHIN governance must consider and allow every size and configuration of those who access the NHIN to participate in a collaborative manner per guidelines to be determined.

Based on evidence from Availity’s administrative experience in Florida, we believe that with enough payer market share in other regions, providers and vendors will modify behavior towards more efficient workflows. Market share drives adoption and utilization, since there is an efficiency to be gained in the provider work flow.

More patients being seen will be covered by a connected payer. Then, utilization will drive down costs and the repeating cycle of improving the workflow can continue. However, the administrative transactions are only the beginning of what can be interconnected.

Administrative communication provided by the connectivity and network. Now, many follow-on applications can now take advantage of that investment and infrastructure and utilization. The electronic health record can be created by appropriately combining the provider-based electronic medical records, the payer-based health records and aspects of the consumer-based personal health record. This does not necessarily mean that the records are stored in a centralized location, but rather that centralized record pointers could provide locating and accessing services.

Given privacy and other concerns, some may question the need for a national health information infrastructure. To those people, I would like to introduce Amy as a real-world example of how sharing healthcare information could have made a difference.

Amy was 27 and pregnant with her first child when she developed an aneurism near her spleen. Unfortunately, Amy’s care providers did not or were not able to collaborate and share information to create a complete picture of her medical history.

Later, it was determined that even though Amy’s lab and other diagnostic information was available it was not shared. She visited the same ER on two separate occasions before her obstetrician ordered an emergency delivery. Sadly, Baby Madeline did not survive her mother’s aneurism. Surgical intervention was not immediate because Amy’s doctors did not collaborate and share information. It is possible that with more medical information shared at each point of care, Madeline would have survived.

In the national health information infrastructure, patients should control their data and their personal data should remain private, except in certain well-known and appropriate circumstances also to be determined, perhaps such as the one Amy endured.

In Amy’s case, the ER physicians may have reviewed her history via the NHIN and perhaps would have had a better chance of quickly making the correct diagnosis.

So, finally, I have six key recommendations and requests on the creation of the NHIN for the committee as follows:

Uniform application of laws and government leadership should be applied to the NHIN as well as other national healthcare initiatives. There are too many federal, state and local laws and departments that conflict. Without one clear governing body, any initiatives at the national level will be extremely complicated, if not impossible, to support.

In addition, HIPAA needs to be completed so that it can be used as a building block for the NHIN and other initiatives. As the primary foundation and standards backbone, it is clear that until and unless the industry can do the easy part, HIPAA, it will never be able to meet the challenge of the more complex clinical delivery, especially as a voluntary effort.

A user model in associated use cases must be created to clearly define who administrates, controls, authors, accesses and edits health records. The NHIN governing body should consider the creation or selection of one or more trusted entities, which is only, perhaps, solely responsible for servicing the request for data, but does not necessarily store the data.

Patient participation in the NHIN should be voluntary for patients, but opting in requires patients to follow the standards established for the NHIN. Consumers should, therefore, be represented on NHIN governance boards.

While implementation of the HIPAA National Provider Identifier is proceeding the remaining HIPAA identifiers, such as health plan, individual identifiers are critical to helping evolve healthcare interoperability.

Registries that securely manage the digital identities of patients, providers, payers and medical staff are a core requirement to the secure operation and adoption of the NHIN. Without unique ID’s, locating records and communication will remain inefficient and prone to error.

The usage of standardized data elements and concept and context management should be mandated by the NHIN governing body. This will allow the data to remain meaningful across network boundaries.

Interoperability standards, including privacy and security requirements, must be created at the national level. Wherever possible and appropriate, existing standards should be leveraged. For instance, the internet must be uniformly embraced by all public-facing government healthcare entities, as well as the remaining public entities.

Availity believes that in order to achieve the goals as stated for the NHIN in the time frame allotted, a line must be drawn in the sand for the planned obsolescence of technology. This should happen with the creation of the NHIN, but also be an ongoing strategy of the governing body or bodies of the NHIN.

Sunset and maintenance rules must be created and adhered to, perhaps tying funding with established time frames. A continuous 10-year rolling plan, for example, should be published with achievable milestones.

The DHHS should create a federated model of regional networks, RHIOs or otherwise, by whatever name, which when connected make up the NHIN. Regional networks could apply for connectivity with the NHIN based on meeting minimum interoperability standards. This would allow many networks to evolve in parallel, but keep them driving towards the same requirements and goals.

So that concludes what I am asking for you to consider. I realize there is no single silver bullet here, and there is a lot to tackle, but by focusing on a few key points, we can begin making progress in a logical, methodical fashion.

DR. ROTHSTEIN: Thank you, Mr. McBride, and we’ll have questions for you after we hear from Mr. Sheils.

My name is Paul Sheils. I am the CEO of Aetna Health Information Solutions, which is a unit of Aetna, which is a national health plan with 14-million members.

My interest in this area dates back, actually, to 1998, when I was CEO of a company called Medscape, which was a professional healthcare content site that is currently owned by Web M.D.

In 2000, we merged Medscape with an electronic medical record company, called Medical Logic, which is currently owned by GE Medical, and, currently, I joined Aetna about two years ago with the goal, really, of leveraging Aetna’s information and data and analytic assets to help make patients make better-informed decisions.

The purpose of my testimony today, really, is to describe very initial efforts at Aetna and our trade association, AHIP, America’s Health Insurance Plans, to contribute to the goal of developing an interoperable EHR, a national health information network, by encouraging the nation’s health plans to develop - to leverage their claims data, health content, analytic capabilities and their existing relationships with providers and patients to build a claims-based, informatics-informed, patient-controlled personal health record.

Now, by way of context, we obviously applaud and support enthusiastically most of the EHR initiatives you heard about this morning, and we are, in fact, involved in several RHIO initiatives around the country.

What I am going to describe today, really, is what we believe is a parallel effort to develop, really, a practical, near-term solution to delivering important health information to the nation’s patients in a patient-controlled PHR.

Now, the distinction, as you know, between the EHR and the PHR is clear. What I am talking about today really is a patient-controlled and really claims populated initially, but certainly patient populated in parallel informatics-driven - this gets to the issue raised this morning about how important evidence-based medicine is in the application of these kinds of data elements to the patient, and, of course, the goal of this personal health record is that it is interoperable with the electronic health record. So that is the point.

The simple answer as to why plans are trying to get into the business of providing personal health records is that we have access to very important data elements, analytic tools, technologies and relationships with the stakeholders that I think is important for the adoption of these personal health records to take hold.

First, obviously, is the data, and, as most of you know, plans currently are an essential repository for a lot of information about an individual’s healthcare, and for decades, plans have been using that data for research purposes to determine things like trend and predictive modeling and the like. So there is a lot of expertise in the nation’s health plans about how to manage claims data.

There is also the notion that most plans, obviously, have substantial technology platforms that enable them to manage these massive data warehouses and they have sufficient and sophisticated websites that currently interact with both providers and patients.

In the analytic world - and I want to spend some time talking about the reason that some of the personal health technology data can be massaged and analyzed for purposes of providing better decision support to the patients, is that many plans, as you know, also have significant analytic capabilities, both in terms of staff members who are informatics experts, but also in the sense that they have substantial amounts of technology platforms that do automatic analysis of claims, and to do that right, the results of those analyses often give important insights into a patient’s health record and of health status, and provide the patient with some significant decision support tools enabling both the patient and, we believe, the provider to make better-informed decisions.

One of the reasons, actually, you may have read that Aetna purchased a company called Active Health Management last week, and Active Health Management really is a company whose core competency is, in fact, the analysis of claims data to determine if an individual’s claims history indicates a care gap or a care contradiction as it relates to certain therapeutic guidelines and peer-review literature searches.

So we have already applied the power of analytic engines to help patients and physicians make better-informed decisions by using the claims data and analyzing it against current guidelines in the industry.

The additional sets of data elements and assets that plans uniquely have are, in fact, the relationships. We currently have, obviously, relationships with both patients and providers, and that is an important element in enabling the adoption of personal health records to take hold.

And, finally, I think, we have the motivation. Obviously, all plans are interested in improving the quality of care and reducing the cost of care, and, like many plans in the country, Aetna is firmly of the belief that information is an important part of the formula to improve the quality of care. Better-informed patients make better-informed decisions.

Now, if you turn, actually, I have given everybody a couple of pictures to describe how a system like this might work, and I am actually heading out this afternoon to give a similar presentation to AHIP(?), which is the industry trade association for the health plans, and I should point out that this proposal was reflected, actually, in AHIP’s response to Dr. Bailer’s(?) RFI. So this notion of - in that document, it was actually called an individual health record. It has already been outlined in the response to Dr. Bailer’s initiative.

And what I am going to do this morning and at AHIP is really try to define how, for all the plans in attendance at AHIP, they could build a system that enables them to provide a personal health record that is informatics informed that also, in fact, satisfies a notion that it will ultimately be interoperable with EHRs.

So if you look at your slide 3, really, it is just a schematic demonstrating the input of the data elements that plans currently get and sometimes - and soon will get, but, principally, it relates to the fact that there is a significant amount of information in claims data, medical claims, prescription claims and lab values that currently plans already receive.

Now, the goal would - really, to have this member-centric information platform be - have that platform enable the patients to input into the member record self-reported data from a health-risk assessment or any kind of additional areas in which the patient could actually input data themselves.

The goal, obviously, is to make sure that whatever structure a platform takes that it is - it becomes - you know - along the standards that John has just mentioned, interoperable as either a downstream recipient of EHR data or we can - the plans could upstream relevant information that is not currently involved in electronic medical records back to the EHR.

So the goal of the PHR is to do a parallel, essentially, development effort that it ultimately becomes an interoperable set of systems with the EHR.

And, really, what this graphic demonstrates is that once you have the member-centric health profile, the importance for us is not only that there is tremendous value in the raw data - the list of medications, the list of vaccinations, the diagnoses, the number of encounters you had - there is a substantial amount of data. It is not, obviously, as rich as an EHR. Let’s put that on the table. It is not the full Holy Grail, but there is substantial value, we believe, in the information that we can glean from transaction-based claims data. It includes things like lists of medications, list of vaccinations, encounters, and, ultimately, lab values and lab results.

The last page of the deck(?) actually shows some of the data elements that are currently available in claims-driven systems.

But I would like to point out that, really, the value beyond the basic information that can be provided through a personal health record that is claims based is this evidence-based decision support tools. So we are encouraging the health plans to actually wrap around the member-centric record this claims-based analytic capability to enable you to determine things like you are predisposed for X, you have to have a refill, you didn’t go get your refill done, all kinds of alerts, recommendations that are done, really, on the ongoing basis. As claims come in, they are run against the rules engine to determine really two sets of things, one of which is clinical and therapeutic recommendations. That is what this active-health acquisition actually focuses on.

So, in addition to running - Now, you’ve got claims coming in that indicates you are comorbid with diabetes and hypertension. Those claims will then be run against that profile for how that is supposed to be treated by certain guidelines in the country, and it’ll kick out. In fact, if you are on two drugs that are contraindicated, it will indicate an alert that you shouldn’t be on that kind of drug.

The second kind of what I would argue is rules-based analytic ability is once you have the ability to determine the full member-centric record for an individual, you can then deliver personalized health content to that individual. In addition to the care consideration of the care-alert-based on guidelines, this capability, member-centric information platform, enables you to actually target specifically-related information or health content about your specific condition to you.

So, for example, the patient could say, I have just been diagnosed with diabetes. The simple thing is to send them articles from JAMA or the New England Journal of Medicine about diabetes, but the power of these systems enable you to get far more refined, to the extent there are articles out there that are specific to your individual case of diabetes, you can actually target those more specifically.

So think about the PHR really as a limited - you know - shorthand definition of a member-centric information platform that plans can use to target information to the member, both from a therapeutic perspective and from a healthcare content perspective. You can see the flow, then, results.

If you turn to the next page, which I think is your slide 5, this is just a mockup of what one personal health record might look like, and it is really designed to show that there is substantial value in this limited amount of information to the patient.

For example, you can certainly see that the - it is really one of the first places you are going to be able to turn to that gives you a comprehensive view of your member’s physicians, the medications, the diagnoses, and one of the powers, obviously, is that this will be a patient-controlled device, meaning, unlike the EHR, which is more clinician-controlled, the design behind a PHR, really, is to give the patient ultimate control of who sees the information in this.

This - for example, this mockup shows that, on the bottom, there is a printer-friendly format. The goal being, obviously, that you want to optimize your physician encounter. So you want to be able to hand this to the physician and we’ll have the appropriate disclaimers. It is claims based. It is not an EHR, but, in fact, has valuable information that you, as a clinician or a care giver to this particular patient may want to understand.

So the point would be that you enable the patient to - either electronically, by the way, or through authentication and significant levels of security through the online authorization or in a paper format. If you are the patient, you want to print this one-page summary of your personal health record based on claims out, you can walk it to the doc and give it to him.

Now, there’s also significant amounts of other applications or transaction capabilities in here, but if you turn to page 6, what I’ll show you, really, is some of the value of the engine that you wrap around the record. So slide 5 really is the raw information, which in and of itself, we believe, obviously, is of significant value to the healthcare system.

And the second would be that this is kind fo the results of some of the analytic capabilities that plans can apply to that data to push personalized recommendations, content to the patient, and, by the way, to the extent the patient authorizes it, to the provider.

So, again, our view is that this is a patient-centric model. We are delivering a limited data set, although valuable to the patient, and permitting the patient to determine who and what portions of the record that patient makes available to either care givers or others.

You can see, by the way, on slide 6, that you’ve got the ability to not only push specific articles about this particular condition to a patient, but, also, they are going to be able to get the alerts regarding some - you know - contraindications on drugs, care gaps or care contradictions, and you can see this really is designed to show that it is a full service, you know, a plan-based portal, by showing you an additional - you’ve got some information about your deductibles and your other - you know - your disease-management compliance points, for example.

So it is really a full service. The relevant portions for this committee is the areas regarding the claims-based PHR and the analytic capabilities that plans can uniquely deliver.

So let me just go through, I think, a couple of the elements and benefits of the PHR from plans. Again, it is very preliminary. This has actually not been approved by the board of AHIP and will be, in fact, I think, addressed this week at the convention, but the goal would be to enable the board of AHIP to propose this to their membership and have standards bodies working obviously with perhaps this committee and others to make sure that whatever standards that the AHIP comes up for its PHR initiative actually are interoperable with the standards for the EHR.

So the first issue is obviously that it is patient controlled. We believe actually in strict authentication and authorization issues. The patient determines who sees what, and, like other systems, it’ll be an audit trail to determine actually who did see the information.

Obviously, a big issue is determining that the systems are built in a HIPAA-compliant and state-privacy-law compliant manner.

We believe, obviously, with all our heart, that they have to be inoperable with the EHR, not only should there be common data fields, one issue we are struggling with is in order for plans to feel comfortable about being able to differentiate between one plan and another, you can certainly argue that the base information on the PHR should be standard, obviously. The data elements should be standard, but there is a notion that we are toying with that the plan should be able to make the patient accessible via the PHR - you know, CIGNA’s could be green, Aetna’s could be yellow - but when you get to the online authorization of a provider to see the PHR, that should be common, so that there is no kind of issue that Physician X in the emergency room has to figure out where Aetna’s list of medications is, as opposed to where CIGNA’s list of medications is.

So there is some notion that we could enable the plans to differentiate on the PHR level, but when it comes to the physician-accessible patient-authorized PHR, that should be standard. That is our view.

We obviously think it should be portable. This is a big deal, as you can imagine, with the plans that the operating assumption of a PHR is that at the end of a member’s stay with Aetna, Aetna will transfer the data to the next plan. It is a big deal. So that is part of the deal. So if, in fact, an Aetna member becomes a CIGNA member, Aetna is required to transfer the medical information, the PHR data, to the next in line plan, and, obviously, that increases, from our perspective, the longitudinal view of the record and becomes more valuable as the patient moves from plan to plan.

As I mentioned before, we think this does enhance the physician engagement with the member. We think the member is obviously capable of determining what elements of the PHR he should show to her - she should show to her physician, and the physician should benefit from that in ways that we can enhance by providing the same level of analytic ability that we provide to the member to the patient - to the physician as well.

We believe, obviously, in the power of the informatics component of this, the ability to apply analytics to this data to enliven the encounter with the patient and provide - support tools to them, and there’s other benefits, obviously, to the system that enables the patient to have e-visits, e-messaging and e-prescribing in the same kind of platform.

So we turn to slide 7, actually, you’ll see a very - I think a set of data elements that plans currently get that could form the basis of the data elements in the PHR, and, again, I’ll emphasize it is not as complete, obviously, as the EHR piece, but it provides some significantly valuable information for both patients and providers.

So, finally, I think the goal of the PHR really is to improve the quality of care. We believe that if you engage in form and provide decision support to both patients and providers, healthcare will be improved. We believe that the PHR, if adopted by the plans, will, in fact, provide a practical, near-term parallel effort to the EHR in the development of the national health information network, and, of course, we are committed to working closely with this committee and other committees in HHS to ensure coordinated development of the EHR and the PHR.

DR. ROTHSTEIN: Thank you very much, Mr. Sheils, and if the panel is any indication, I am sure our group has many questions for you.

Let me just begin by asking Mr. McBride a question from his testimony. On page 2 of your testimony, sort of in the middle, you say, in the NHII, patients should control their data, et cetera, et cetera, et cetera. How?

There’s many ways to do this. One - you know - certainly, you know, there’s a lot of depth and breadth to the question. Patients can control this at many levels. The simplest, I think - and then I put in here sort of opting in, so that means that - you know - there’s two things going on. You know, first of all, if I want to even participate in this, that is my choice. You know, that is just to begin with, but, now, once I participate, there are a set of rules, you know, that would be established to be determined, what happens now. So you could have cases, you know, that are within the NHII guidelines on privacy where, let’s say, mental health and substance abuse and so forth is not shared, you know, without further, you know, further approvals or so forth. That is just an example.

If we are talking how technically, I think, that technology exists, you know, coming from a technological standpoint, you know, but I don’t necessarily think that technology is the issue, to answer your question.

DR. ROTHSTEIN: So you are comfortable with the idea of different fields in terms of levels of disclosure, certain treating physicians or other providers would get access to different levels of information. For example, psychiatric information would be available, mental-health professionals, that sort of thing?

MR. MC BRIDE: I am not a doctor. If you separate this from the technical side, which - what you are saying is possible. You can certainly do that.

I do believe you can share the information as appropriately, you know, using the technology, but the business rules or the medical rules would have to be created to decide when that is appropriate and when it is not. I think that is the way to start.

Certainly, just as technology has evolved, you know, we could make rules and the technology match, as time goes on, to get a little bit more granular with information.

I am just suggesting that to get started, especially with the time frame allotted, you know, there is an opt-in, opt-out type of scenario. That would allow us to get started and start to place more granular controls of business rules and technology solutions to address what you are saying.

DR. ROTHSTEIN: Okay. I have one question for Mr. Sheils as well, and that is I am certainly willing to concede that PHRs have value to patients in terms of health promotion, health monitoring and so forth.

I am not sure the extent to which PHRs would protect patient privacy at all in the sense that treating physicians are not going to want to treat people on the basis of their self-selecting PHR information. They would want access to the complete EHR.

At the same time, third parties who are going to be making assessments won’t take the PHRs either. So I am a life-insurance company and I want to decide whether I want to issue a policy and what premium and so forth, I am not going to rely on the PHR either. I want the EHR.

So am I right that the PHR is really not designed for or very valuable in protecting privacy interests. It may be quite valuable in other respects - in disease management, in reminding people what they need to do and so on and so forth - but, as a tool to protect privacy, that is not why it was created nor is it its essential use. Am I right?

MR. SHEILS: Well, I think there’s two points, really, one of which is that we have no conception that the PHR is as valuable as an EHR. Obviously, a physician with an option to have access to an EHR and PHR would pick the EHR, and we support that.

On the other hand, that’ll be a long time coming, and I think one of the benefits of the PHR is that it can be done fairly quickly, and so some number of Americans who will not have the benefit of access to the patient viewable portions of an EHR can, in fact, view the limited elements in a PHR fairly quickly, and those elements are, in fact, a value to a physician who does not have access to the EHR. So, for example, just the minimum list of medications is of value. It is not the definitive, but certain elements of the PHR enhance the physician’s understanding of the full patient encounter.

So we are not suggesting that the PHR is the goal. It is one of the parallel paths that should be adopted by the nation’s health plans to assist in delivering additional information to patients who may make that available to providers in as much detail as we can, which is, in fact, the claims-based.

But I don’t think it is an issue of preferring the PHR over the EHR. It is really the first step in a parallel step.

DR. ROTHSTEIN: And a followup question I want to ask, you are concerned about the following scenario for use of PHR in employment-based health benefits.

You have an employer who, in an effort to save money on premiums and outlays for employee health insurance says to employees, We will give you a $30-a-month reduction in your employee contribution to your health plan if you agree to give our health-risk-assessment contractor access to your PHR and agree that you will work with them to promote your health, and, of course, that is increasingly common now without the PHR component, but under the scenario that I posit, instead of online or other sort of information that is generated by the employee, now, the PHR immediately goes to the -

There’s two issues, one of which there’s self-reported data through an HRA -

MR. SHEILS: - which can be incentivized by the plan or the employer to have the employees fill out.

Second is the claims-populated portion of the PHR that is completely separate. It is essentially plan populated, and the patient or the member has the ability to - I don’t want that. I don’t want the PHR. I don’t want any part of it, you know. Don’t do it for me. Thank you very much, but I am not interested in having you develop a PHR for me. So we won’t.

The second issue I think you raise is the incentivization for members or - excuse me - employers and plans to get people to contribute additional data beyond the claims data to the record, which is the HRA. You fill out the health-risk assessment and you get, you know, you get weight. You get smoking habits. You get all those kind of loser types of data than from the claims data, and the issue, then, is, again, part of the contract in which you sign up for the HRA indicates what uses you will enable the plan or the employer to put to that information, and we would say, you know, that is a matter of contracted contract between the employer and the employee. If the employer wants to incentivize the employee to fill out the HRA, it should be very clearly stated what the purposes of that - what purposes that data will be put to.

DR. ROTHSTEIN: Well, here is my concern, coming from an institution that has adopted this here: The prospect of some non-HIPAA entity having access to my PHI, not knowing what they are going to do with it, not knowing the qualifications of the individuals reviewing it, calling me to hassle me about what I am eating and what I am doing is not very attractive, and I feel that - I mean, there’s essentially three ways that I have seen this response.

You can basically waive the $30-a-month benefit and pay essentially a privacy tax, so you don’t have to share that information. You can lie on your health-risk assessment, saying that you don’t smoke, you don’t drink, you are not overweight and you exercise every day for a half hour, and they don’t have access to any basis for corroborating whether you are telling the truth or not, or you sign up and tell the truth and have these people hound you - not that that’s - I don’t want to display any sort of prejudgment.

DR. ROTHSTEIN: If you do so voluntarily and you are inclined to do that. I mean, I have actually reviewed the data and it only has value - If you are coerced, it doesn’t really have value.

My concern about the PHR being tied into this is now you have lost lots of your options, and you have just eliminated - you are either in or you are out, and if you are a low-paid employee, it seems to me that this is just another way in which your privacy is going to be violated.

MR. SHEILS: I think you are raising, really, an ethical issue with respect to the way plans or employers provide incentives for employees to fill out HRAs, and that is obviously a societal issue, but I think the technical issue that we would address is that at the end of the day, the employee has the option of either participating in the HRA or not, and whether or not the employer has some underhanded - or the plan has some underhanded way of trying to get access to the data is really kind of an issue that should be addressed in ethics committees as opposed to the technical side.

But I think there is tremendous value - and for those folks who are not opposed to the notion of completing an HRA, obviously, once you submit the additional data, the enrichment of the data enables better analytics to take place, so you have, actually, an argument to the employee that there is a downstream benefit to you as an employee to enable the plan or the business associate of the plan to take that additional data and run analyses against it to help you with your healthcare decisions.

So there is certainly value. The way it is actually accomplished, obviously, you raise some good issues about some issues that should be discouraged, but the value of an HRA supplement to the PHR, I think, is fairly well documented.

DR. TANG: Mr. Sheils, let me just test my understanding of what you described. I think it is an ASP-hosted version of a PHR for your members, and then you said that if you change a health plan, then you would pass that person’s claims, in a sense, onto the next payer.

DR. TANG: Is there a thought of once you start this, if people are willing to both comply with the standards and to share, as people move around, could you go get all the previous claims history just to better populate an individual’s -

MR. SHEILS: I think that may be a prospective goal, but I think it will be almost impossible to start now and go back and try to get claims from the various - because they haven’t been created or stored in the right format. So I think it is almost impossible to view it retrospectively as going back and get the longitudinal record.

There are companies, as you know, that try to do that. There’s Verispan and NDC that have tried to create with these algorithms kind of virtual longitudinal records based upon historical access to claims data, but I think, for our purposes, it would be plan based and, prospectively, that once you are in the PHR for Aetna and you move to CIGNA, Aetna would be obligated to move the PHR data to CIGNA.

DR. TANG: And do you anticipate that there’ll be any competitive concerns with the sharing?

MR. SHEILS: I think that is the big issue. That is why I mentioned before AHIP is going to have an interesting debate about why Aetna should want to supply CIGNA with the PHR - because the obvious goal is to retain the member. We don’t want to make it easy for the member to switch from plan to plan.

I think the way to address that at the board level at AHIP is to say, as I mentioned before, there are competitive advantages and differentiation capabilities in the PHR that you would say to your member, If you stay with Aetna, for example, we give you more powerful analytic tools. We - you know - we provide you with greater insights into your healthcare than the subsequent plan might, but the base raw information is a commodity. It actually should be transferred from plan to plan. It is the analytical - you know - enhancements to that that should provide, you know, essentially competitive - you know - comfort to the plans as they adopt this system.

DR. TANG: And would it be possible for the subsequent plan to apply analytics to the claims history -

MR. SHEILS: Yes, absolutely. Yes, but it is really the nature of the analytics, I think, that are going to be the differentiator.

MR. SHEILS: Well, yes, I think - they won’t give them the kind of plan design-based information that really kind of tells the subsequent plan how much they charged. It would be the raw - you know - medical - derived claims data information about list of medications, those kinds of non-plan-design issues.

I think it is interesting. As many discussions go on, we say electronic health record, we act like we all see one doctor, and I think that what the PHR is going to allow is almost some kind of a data-rich index as to the things that are going on with a person. If HMOs had won to where everybody had to go through a gatekeeper, it would have been different. So I think more and more there is a correlation between the two.

Then, obviously, whether or not the person puts everything in the PHR and whether or not there is something on there that says I purposely left stuff out, because of - you get into good medicine versus good privacy versus good business.

I might want to put all mine on there, in case I’m up here and I faint today, and somebody could - a doctor could access it from one of the hospitals in Washington and they would really know who I am seeing and what is going on with me, that would - I would like that.

But I think the question still becomes, as we look at it from a privacy standpoint, regardless of whether there is an EHR - a magical EHR in the sky or it pulls together all the doctors or there’s a PHR that says who my doctors are and then maybe I can get a link to their system to find out what is going on.

What do you see as the mechanism to decide - for the person to decide who gets to see it and what is the type of data that they have to put in so that you know it is a doctor, you know it is an entity that should get it in? Because, in the end, we are just electronically setting up data and now we go at it. So that’s our issue continually.

MR. SHEILS: Many of the vendors, by the way, in the - I’ll call it the payer PHR space have elaborate presentations which I would recommend the committee view regarding the security and authentication systems put in place to address that very issue. A company called Care Keeper, for example, I would highly recommend you look at their system.

What they do is essentially format the PHR in discrete data sets that enable the patient to determine what components of the PHR should be viewable by whom, and they also have an elaborate system, certainly - and it is all, by the way, patient controlled, not family-member controlled. It is really down to the patient - and then they go through this elaborate system of saying how the patient gets authorization to access the data, and, then, there’s different kinds of security protocols they can apply to what providers have access to what portions of the data, but I am not the one to actually go through the detailed technical analysis of how those authentication systems work, but those folks would be more than happy, I think, to present to the committee their solutions to those authentication and data-segmentation capabilities for their systems.

MR. MC BRIDE: I’ll just add to that and say there are a number of vendors that I have also run across that are dealing with just that issue. There’s Care Key. There is also You Take Control.

Some of these companies are acting sort of like Switzerland, if you will, in the sense that their sole purpose is to - you know - basically serve up the data, point to where it is and so forth, but they track the patient preferences, so when you say like you take control in that example, the patient actually takes control of who sees what data down to a very granular level.

So, once again, that technology exists, and a lot of the detail around the business or operating rules needs to be built on, you know, exactly when a request comes in, you know, how is it serviced and who has the right to see that request and who has the right to respond to it, and should it be stored, in fact, going to previous questions that you have asked.

DR. TANG: Just a quick followup on the authorization, and that is an interesting description of Care Key and their authorizing various levels of access, but the original, actually - so one of your members wants to set up a PHR, how do you authorize that individual as the party actually accessing that piece of data?

MR. SHEILS: Well, it depends on which protocol you select, but there is a series of password protections, identification that is specific to the individual.

Right now, to get into the claims database - or, excuse me, to get into your claims history of payment at Aetna, you have to give you password - your ID, your password and then some other level of identification.

MR. TANG: How do you set up your original password? I mean, how do you authorize - authenticate the member?

MR. SHEILS: I don’t know how it is done today at Aetna, but, prospectively, it would be some form of probably written authorization that you then say to the patient, You have to authorize Aetna to set up a PHR for you and designate which password or which security protections you want to - you know - you undertake.

DR. VIGILANTE: Actually, Harry addressed one of my questions, but I made the reference earlier that a doc would always want the EHR, but, you now, as somebody who spends life in ER medicine, where you, by definition, take care of people you don’t know every day and who seem to invariably not know some of the most basic things about their health and what is going on, particularly medication, recent lab results and a list of diagnoses, I personally would find this actually very valuable, particularly in the ER setting, just to be grounded in what is going on with a given patient. So I think this is - at that level, this is very useful information.

DR. ROTHSTEIN: But you could also have that summary type record through the EHR. You wouldn’t need a PHR.

DR. VIGILANTE: Right. The nice thing about - this is claims generated, and so is it typical of claims-generated data to have actual lab values, a), and b) is there any hope that one would - claims data would actually generate - because the other things I would like to see would be - you know - a result of a stress test or an MRI or something like that. Any hope of getting that in the same way -

MR. SHEILS: Yes, well, the answer is no. Typical claims databases don’t actually - you know - store lab values, but many of the plans have long ago contracted with the lab companies to deliver those lab values, so that they can employ them in their analytic abilities to determine, you know, trends and predictive modeling capabilities.

So, yes, I think the goal of the PHR infrastructure would be that you certainly start with claims data, but that you create the system in such a way that it is open enough to enable claims - excuse me - lab values to come in, images from radiology departments to come in. It starts to sound a lot like an EHR, and that is kind of where this parallel development effort has to occur, because once you build the member-centric record, you can import data into it according to standards that get it closer and closer to being the same goal as the EHR. Won’t be as rich, but it is clearly the first steps would be lab values, radiology images into the system.

DR. VIGILANTE: So lab values now would say come from something like - wouldn’t come from the hospital. It would come from -

DR. VIGILANTE: Right? And so your - Okay. So it would get - the more fragmented that market, the more difficult it is to get that data in terms -

MR. MC BRIDE: We take a very similar approach as well, as far as in the State of Florida, again. If you look at the payers that we have brought together - Aetna, Blue Cross, you know, a number of payers in Florida - if you look at the labs, as an example, you can do the same thing. You can apply the same paradigm of having them go through - you know - for lack of a better word, a clearinghouse, but somewhere where this information can be consolidated appropriately and securely, taking the same approach.

MR. HOUSTON: Yes, I heard both of you discuss the fact that there is this need for a patient’s authorization scheme in order to approve access to the information via a provider, and yet on looking through the testimony of Mr. McBride, I know that one of the things you did say is the need for uniform privacy laws, and I guess part of my cynicism says we probably won’t have - not have that, but I think that - personally believe that an authorization scheme - a robust authorization scheme would tend to be able to address the - sort of the landscape of varying privacy laws throughout the country, and I just would be interested in sort of telling me whether I am right, wrong or you think that it is workable to deal with - a robust authentication scheme or authorization scheme to try to bridge - you know - bridge this issue?

MR. HOUSTON: Well, I think what I am hearing is the patient would authorize what information about them is made available to a provider, and I think that that is a basic rule that seems to be pretty common amongst state privacy laws is that the cornerstone of all the privacy laws seems to be this concept of patient authorization, and I am just wondering if, based upon the architectures I am hearing you both indicating, it sounds like you could use that as a way to sort of bridge this issue.

MR. MC BRIDE: You could potentially do that. I believe, you know, the higher up you go - once again, starting off, you have to consider the time factor here, too. If we want to do this quickly, I am suggesting this opt into a system that would be at a more national level, possibly easier to understand, because from the last testimony I just heard from three different organizations, it sounded like not a single patient declined being part of - you know - EHRs and PHRs, whatever are being built there. Not a single patient decided not to participate in that.

MR. MC BRIDE: I am just saying in that circumstance, none of them opted out. They all opted in. They chose to sign an agreement basically allowing their information to be included in a database. So, once again, I think that boils down to now there’s three different entities with their own privacy rules that they have just decided to enact and a patient has signed this.

I’m saying the more of those you have, if we let that get out of hand, every single one of those agreements are going to be different. So when you try to hook up at a national level, it would be extremely complex to navigate through all of the agreements.

MR. HOUSTON: Do you think within an HIN - you sort of talk about this concept of a - even though there’s a lot of local control over information and the like, but there’s still this governance that’s through some -

It seems to me, I think, what you are saying, though, is in your written testimony is there is a sort of a governance that is national. Do you believe that that national governance could dictate the form of an authorization that then could be used as the basis for - you know - a common authorization that then could be used, which would then satisfy - you know - different varying state and federal laws regarding privacy?

MR. MC BRIDE: I do believe that that is the case, and, once again, at the national level, I would be talking about a minimum set of requirements. So it would be very scaled down, compared to what you could do maybe at a local level, perhaps. So, you know, the fact that there are different agreements that maybe pertain to how you pass from department to department, maybe they are more stringent or - you know - they are just different.

I think that is okay. It is when we start to interconnect and we start to talk about interoperability that the real issue of - We need to have something high level, a minimum agreement about what needs to be authorized and what can be passed. Without that, the interoperability aspect becomes, once again, very complex.

MR. SHEILS: I think it is fair to say that as you increase the rigor of the authentication and authorization standards applied to an electronic record, you decrease the risk of violating state law, but you do not eliminate it. So I think that it would be too much to say that a bulletproof authentication and authorization standard gets you out of the soup of making sure your system complies with state privacy laws.

DR. ROTHSTEIN: Well, I think Kathleen has a followup, and then we’ll come back to your question.

MS. FYFFE: I don’t know that it is a followup. I want to get back to the lab discussion.

MR. HOUSTON: One of the other questions that - one of the other things you said in your written testimony was that you sort of - the concept of the internet as being sort of - it is being the vehicle, and I guess the question I would pose is should that be a given or should we be looking at some type of - you know - internet two style - that is probably not the right way to phrase it, but some other alternative private network where RHIOs and an HIN creates to be able to ensure maybe a higher level of security than otherwise would be available via the internet, at least for the high-volume transactions that might go on between a RHIO and the different providers and the payers, knowing that there is going to be a lot of volume in that type of environment?

MR. MC BRIDE: I think the internet can serve as a part of the stack of technology, and I am a big believer in it. I think that the standards have come - you know - quite a long ways since the inception of the internet, in terms of security and communication and so forth.

So what I am suggesting is, where appropriate, we use the internet, especially the standards and protocols that have been developed, for communication and security.

Whether we build more on top of that, I think that that is certainly something that is up for debate. I think that there can be additional levels of security, but, once again, it can’t be something, you know, in a vacuum. It needs to be something that I think is an open standard, even if open in this context means open within the healthcare industry. So, once again, I think the internet is very secure.

When you talk about leased lines and a lot of things today that serves up a lot of connectivity and healthcare, it is arguable, but leased lines are not necessarily as secure as a VPN over the internet, let’s say, because oftentimes, a leased line is not encrypted, and, as you look around at technology today, if you look at switches, for instance, almost every switch today is a virtual switch. You don’t actually have - you know - a point with a wire connected all the way down from Washington to Florida. These are all virtual switches. Virtual switches use quite a bit of software and technology where you are literally passing unencrypted data over virtual switches. So when you talk about some of the security through the internet, it is actually more secure in some circumstances.

I am an educator, and I was delighted to see in the plan here from Aetna that there would be an educational process in the PHR, where, I think you mentioned, you would send JAMA articles to individuals who had diabetes or something along that line.

The caution is that from previous testimony that we have had through the last year or two that sometimes there is a very close call between education and marketing and that if Aetna is giving out recommendations of healthcare, then we would assume, of course, that that is nothing but the scientific facts and has nothing to do with Crestor(?) versus Lipitor(?) or those kinds of things, and just wondered if you had thought that through a little bit.

MR. SHEILS: We actually spent a lot of time understanding the implications of those kinds of issues at Medscape. Medscape actually created a fairly well-known brand in the space by making sure that information provided to physicians was not influenced by, in fact, in Medscape’s world the sponsors of the site. So we hired, actually, George Lundberg(?), former Editor-in-Chief of the Journal of the American Medical Association, to ensure that integrity of the editorial process.

In the plan environment, I think it is less - first of all, there is no pharmaceutical sponsorship of the PHR that is contemplated in any proposal that I have been associated with. So it really may be a matter of determining from a - maybe an editorial board which evidence-based information is delivered based upon this particular clinical profile. It would not be influenced by the fact that - you know - one pharmaceutical company would benefit from having the favorable article in JAMA submitted as opposed to somebody else.

So we are very aware of the potential perception of influence by pharmaceutical companies and others on the independent evidence-based information we would supply to a patient based upon claims data.

DR. HARDING: But, see, Aetna would be subcontracting with a pharmacy-benefits group.

MR. SHEILS: Sure. Yes, those plans that have a PBM, have the apparent conflict that - you know - there is a relationship between the pharmaceutical companies and the PBM that would potentially influence a plans information distribution to the member, and we are very aware that that - we can’t cross lines in that respect.

DR. TANG: They may be very related, because it is on lab as well. So it was interesting to hear that a plan could get all the lab values from lab contractors, and what is the HIPAA basis for getting access that kind of information?

MR. SHEILS: I think the - I don’t know the specific answer. I would argue that, as a covered entity, you know, we can get access to information for purposes of health operations. So we can use the information from the lab to conduct analyses of the data on a global level to determine, you know, trends in predictive modeling for the benefit of the patient population. I don’t know the specific HIPAA issue with respect to whether or not there is additional information, additional regulations relating to use of that information in the PHR. That will be one of the things we are looking at as we conduct a legal evaluation of the PHR as it relates to all the data points that we would bring in in addition to the claims, things like lab values as well.

MS. FYFFE: That is part of the question. Actually, Jon, you sort of said, well, the labs - Tell me a little bit more about the labs -

MS. FYFFE: - and under what circumstances there would be data feeds of not the requests for the lab tests or the fact that you have paid for a lab test, but the actual clinical values.

MR. MC BRIDGE: To make sure I understand your question, let me take a stab at answering this.

MR. MC BRIDE: But when I talk about Availity servicing labs and payers, our customer, the user, is actually the provider. So Availity looks at the work flows and serves up portals to providers. This would be providers, perhaps, that wanted to refer a patient, one of their patients, to another provider, and that provider may need to see a lab.

In that case, this doesn’t really have anything to do with the health plans. This would be a provider saying, I have this lab value. I would like for Dr. Smith to see this, and Dr. Smith, she may decide, you know, I need something else, and may ask for some information from another provider. So it could be collaborative on the provider side, not necessarily the payer side, the health-plan side.

DR. ROTHSTEIN: Well, I want to thank both of you for your testimony. That was very helpful.

I don’t know whether we are closer to any answers, but we are closer to the questions - (laughter) - and we will resume at one o’clock, after our lunch break, with international health systems.

We are now prepared to resume our hearings on the National Health Information Network, and I will attempt this afternoon not to do to international relations what I apparently did to wellness programs this morning.

Let me also say that, in addition to our two witnesses on Panel III, at four o’clock this afternoon, we will taking testimony from Dr. Brian Richards and Ms. Jeanine Ward from Australia about the Australia health system, and, tomorrow, at 11:00 a.m., we’ll be hearing from Ib Johansen at the Danish Centre for Health Telematics, and so this is - we’ve got two in-person witnesses and two witnesses by telephone from Australia and Denmark, and if you have heard part of our session this morning, you know how we are searching for answers and we are searching for help, and anything that you can provide us with along those lines that other countries are doing, have considered, where you are on this issue would be very helpful.

DR. VIGILANTE: Can I just interrupt - I just want to - interest of full disclosure, I just wanted to say that Booz-Allen has recently done work for Canada Health Infoway. I don’t believe there is any conflict of interest, but I just wanted to disclose that and be cautious in conversation.

Thank you. It is a pleasure to be here today and appreciate the opportunity, Mr. Chair.

I guess, basically, I’ll just - I won’t bother with my - Oh, well, maybe I will bother - So basically talk a little bit about the drivers for healthcare reform in Canada, and, you know, at the end of the day, I suppose the patient is at the end of the drive and the process, and so perhaps not a whole lot different than some of the issues with U.S. patient and healthcare, but, certainly, at the end of the day, we are looking at a set of fundamental issues looking at how to improve access, how to reduce wait times. Looking at our overall contingency of human health resource services, home care, home-care issues, national pharmaceutical strategy, public-health strategy and a public-health surveillance strategy, aboriginal health, and, basically, in terms of the overall process, accountability vis-a-vis expenditures and the implications in moving the agenda forward.

Just to give you, very quickly, a little bit of the flavor for the sorts of issues, in terms of the drivers, not just demographic, but, actually, in the actual care system, for every 1,000 hospital admissions in Canada, 75 people will suffer an adverse event. For every 1,000 patients with an ambulatory encounter, there’ll be 20 people who will suffer a serious drug event. For every 1,000 patients discharged from the hospital, 90 will suffer adverse drug events. For every 1,000 laboratory tests performed, up to 150 will be unnecessary, and the list goes on in terms of the potential impacts in terms of some of the challenges around the system following up on sort of three particular venues, primarily, looking to drive forward progress in access, in the quality and in the productivity of the care and the delivery in the healthcare system.

As far as Canada Health Infoway is concerned, our electronic health record program looks at six basic drivers: Demographics, which are associated with registries, both client and provider registries; diagnostic imaging; laboratory results; drug profiles; immunization and telehealth. Those are sort of the key components of where we are looking to make progress in electronic health records over the next three to four years.

In terms of the actual access, quality and productivity side of the equation, we have pulled together some estimates from a number of different studies looking at if we were to implement an electronic health record for each resident of the country, what would be the ongoing savings to both the system as well as to the care for the patient, which are sort of the penultimate drivers.

So, for us, in looking at it in terms of access, the availability of services and access to services, we are looking at, from the implementation of electronic health records, about $30 million a year in savings, primarily around medical transportation savings and costs in moving patients around from critical-care facilities to clinics, et cetera, et cetera.

On the quality side of the equation, adverse drug effects, we are looking at a potential savings through the implementation of interoperable electronic health records somewhere around $3.4 billion per year to the system, across the system.

And diagnostic imaging, using PAX(?) technology in a OHER environment, looking at savings of potentially up to $1.6 billion per year.

So these are not just the financials that, at the end of the day, we are talking about in terms of productivity and quality. We are also talking about the overall care-delivery system and the health of the patient.

Canada Health Infoway was created to foster and accelerate the development and adoption of electronic health records and information systems across Canada. We are a not-for-profit corporation and basically have a shared governance. The 14 jurisdictions in Canada, the three territorial, 10 provincial and one federal jurisdictions are, in fact, the owners of Infoway, and, in fact, set the mandates and the agenda for the corporation and its governance.

Basically, the goal for Canada over the next three to four years is to have 50 percent of all Canadians in an electronic health record across the country, and why only 50, we can talk to the issues around 50 after that.

Infoway is a strategic investor. We do not build the systems. We do not hold the systems. We do not hold the health data. We do not hold the clinical data. We are strategic investors with the jurisdiction basically to invest with them to find pan-Canadian solutions to issues around lab, clinical, drugs and other solutions to moving to pan-Canadian interoperable electronic health records.

The funding formula that we use is a 75/25 formula for eligible costs, and the capitalization of Infoway at this particular juncture is about $1.2 billion, which will be depleted over the next three to four years to get to that 50 percent of Canadians having electronic health record.

In terms of the funding process, the gated(?) funding model that we use provides for if it is not delivered, then we don’t pay. So there have been some issues around that, in terms of take up from the jurisdictions, but, at the end of the day, the cooperation model has, indeed, worked for us and is working well.

We have nine programs, strategic investment programs that make up the Infoway corporation: Innovation and adoption, interoperable electronic health records, drug information systems, laboratory information systems, diagnostic, public health, telehealth and then client-provider location registries and an infostructure program in terms of standards and blueprints for achieving these.

We have a national agenda. We are levering what is in place in all jurisdictions. I think that this is a slightly different - this is, I think, a significantly different approach from what is being done in the UK and in England, in particular.

So we are not promoting a rip-and-replace program. We are basically building on what we have, driving across shared governance, standards, pan-Canadian standards for interoperability and looking at the direct business benefits for all of the investments that are made in terms of very specific outcomes and very specific benefits for Canadians.

The business strategies, I think, I’ll skip over in the interest of time, but there is one piece here that is important, and that is the notion of focusing on end users. It is the end users in the system that really, at the end of the day, trying to make these huge changes in technology, moving from a paper-driven world to an electronic world, where, indeed, looking at our challenges is - primarily in the area of end-user adoption for these electronic health records in order to be able to move the agenda ahead.

Key definition for us is what is an EHR? The last two people providing testimony here and looking at it, it sounded like the vision of EHR versus electronic health record and electronic medical record, a personal health information record, some terminology there that we should probably lay out straight at the beginning.

For us in Canada, it would be a secure private lifetime record with key health history and care within the health system. The record would be available electronically to authorized healthcare professions, and the individual, anywhere, anytime, in support of high-quality healthcare, also to provide across a continuum of healthcare and healthcare delivery organizations the kind of information that is required to manage the patients.

Quick look at the type of architecture that the EHR in Canada is proposing. Basically, we would have a set of domain repositories which would include laboratory, pharmaceutical and imaging information. A repository would cover a population of about 1.5 to 2 million people. The same thing in terms of client registry and provider registry. So, roughly, when you take a look at the population, looking at the IEHR, in the case of, say, PAX Imaging, we are looking at probably 25 to 30 PAX Imaging nodes across the country that would hold those PAX information for the diagnostic imaging and be accessible from the physician’s office and from the critical-care facility. Same sort of thing for lab and the same sort of things for the repositories associated with pharmacy and drug.

I should say, in terms of client registry, client registries and provider registries are the single sole source information and demographics on the patient, and the provider provides all of the demographics and information around the specialist and the provider, including pharmacists, nurses and doctors.

Privacy issues, very quickly, looking at a survey that was recently done, about 85 percent of Canadians support the development of electronic health records, which is a very high level of endorsement on them. The results of the survey indicated that Canadians strongly believe that electronic health records will, in fact, improve the ability of authorized healthcare providers to provide better quality of care, but, on the other hand, they have some concerns, particularly about who has access to the record, how they have access to the record and for what purposes they would have access to the record for, and, basically, that care around their privacy with respect to the EHR certainly came out in the survey and we certainly heard some of those discussions this morning.

The privacy challenges for interoperable EHR solutions, I think the members of this panel are probably quite familiar with those.

You know, we are looking at issues around consent representation mechanisms. We are looking at authentication and authorization techniques, role-based security and privacy, contextual access criteria to data and trust models between systems, and I think on the trust side, the trust model side of the equation, we are probably a lot further ahead than we are on some of the other areas with respect specifically to privacy per se.

So I think, in terms of the security side of the equation, where we stand today is probably further ahead than we are in some areas with respect to the privacy.

In looking at some of the work that we have done on privacy, we have, in fact, created a conceptual architecture for privacy security in which we have uptaken a broad set of consultations with stakeholders. In Canada, the actual health records and the privacy associated with those have 13 different sets of legislations associated with them, and the jurisdictional governance of the actual health records themselves are at the provincial and territorial levels.

So what we have done in terms of privacy in trying to move ahead our process for saying what would be the best way to build architecturally a privacy and security set of requirements for EHRs, which turned out to be 28 sets of privacy-specific issues and 87 sets of security-specific related issues, we put together a group of experts and people from the jurisdictions to lay out a conceptual architecture for what a privacy and security architecture would look like, the sorts of standards that would be in there, and something that would respond to the individual privacy acts for each of the various jurisdictions, and the requirements for what would be appropriate for an interoperable EHR.

We are just finishing the work on that. We’ll probably be publishing that in the next month to month-and-a-half, but it will lay out the high level privacy and security requirements for an interoperable EHR.

In moving forward for us, some of the issues that - looking at in terms of the potential of increased privacy and confidentiality, automated audit and alert capabilities, I think, are something that are probably, in an electronic world, developing at a very fast pace and will be particularly useful for privacy and security; putting limits on who can access what and when they can access to particular sets of data; automated consent validation and the management of that consent validation and the limit of the modification of EHR data to authorize personnel are some of the issues that we are still taking a look at.

We think that the technology, as it has evolved today, probably puts us in a position to clearly enforce the privacy principles, in some areas, probably better than in others.

So as we try to move forward, some of the challenge that we are looking at is the actual overall progress for us in terms of investment, and moving the agenda ahead has been slower than we would have liked and has been slower than we actually planned.

There has been some issues around the jurisdiction’s ability to find the funding to move forward the electronic health record agenda in several areas in the country.

As I mentioned earlier, the adoption and exception by healthcare professions means major changes in terms of work flows and interaction with the way, not only the way they interface with patients, but also the treatments of patients.

And, finally, at the end of the day for us, $1.2 billion, which is about 25 percent of the total cost in terms of where we are looking in clinical healthcare, is clearly not enough money to solve the electronic health record issue in the country. Our estimates now are looking at somewhere in the neighborhood of $10 billion in order to be able to deliver an electronic health record for 100 percent of Canadians.

So that is a very quick update on where we are and what we are trying to do north of the border.

DR. ROTHSTEIN: Thank you very much. I know we’ll have some questions for you at the end of -

Dr. Detmer, welcome back to NCVHS, and appreciate your coming and anxious to hear what you have to say about the UK.

DR. COHN: And, actually, I just want to take a moment to just remind everyone that Don is actually a former Chair of the NCVHS -

DR. DETMER: Good afternoon. It is nice to be here today. Actually, I was with a different committee last week. So it is sort of deja vu all over again, as Yogi Berra says. (Laughter). At any event, it is nice to be back, and nice to be back in this room with you folks.

I, obviously, am not going to try to adopt my East Anglian accent this afternoon, because it wouldn’t pass. The reason I sit here as an American talking about the British current law relating to - as they say - privacy is because I did sped 4-1/2 years in Cambridge up to about year plus ago, and in the UK actually was asked by the Undersecretary of State to review their strategy in the UK, and have stayed in touch.

Having said that, I really do consider myself a fairly weak substitute for some other people that really could be here today and they aren’t. So if you do have some specific kinds of questions that go beyond my capacity to manage to this, I’ll be happy to get back to you through my contact.

Now, what I’ll be doing is focusing more on United Kingdom and, to some extent, European Union law, because that is now playing into this whole thing quite a bit, and, really, frankly, all of Europe is struggling to try to figure out how to do these balances between these sets of issues, and, of course, to put it in the context of the Infoway, as you know, the UK - and that is really England and Wales, not so much Northern Ireland and Scotland - are engaged on really a fairly massive effort to computer base their care system.

Now, it is interesting in the sense of how that plays out different from the U.S. situation is they really have not had a personal health record interface to the doctors’ records, if you will. So the National Health Service system is really kind of an intranet sort of system that really it doesn’t have much of a semipermeable membrane, if you will to people going to the internet personally and then trying to relate to it. So it is pretty much all in a contained situation, and their architecture, I think, is going to have to go through some sort of agonizing reappraisal as, obviously, this new kind of technology of clicks and mortar kind of care starts really moving forward.

Okay. Having said that, what I am going to do is draw heavily on a presentation given by one of my close colleagues in the UK, who I worked with a lot at the Judge(?) Institute, the Business School in Cambridge, on a lot of these topics, and he gave a presentation to the Medical Research Council at a workshop they had last year, and it is updated somewhat, but it is sort of their NIH.

So at the end of this presentation, I do have some things that relate to how this is playing out relative to research - clinical research, medical research - that I really won’t have in my comments. I’ll stop before then, but if you are interested, we can talk about that, because I know you have had some hearings in that area as well in the past year.

Now, to again set the stage, I think the biggest differences, really, in how this plays out in the UK versus the U.S. is, obviously, they have universal state provision, which means that only about 10 percent of the population actually has private insurance, in the sense that we would talk about it here. So their system is basically a dominant government system, and that changes the dynamics. I really think a lot of our issues in this country relating to the whole privacy issue really comes down to - you know - this fact that we really don’t have universal access to care, and I think that would change the dynamics. We worry about what happens to insurability and a lot of these sorts of things that really over there it is just not part of the picture. So that changes it.

The other situation, as I mentioned, there is a state of real flux going on right now between what is EU law and what is UK law, if you will, and that plays out in the other countries as well.

I think it is a safe statement to say that the medical community feels like the privacy regs to date - and not so much the regs, per se, but also the reaction to the regs, and I think we see this with HIPAA as well over here. The reaction to it is such that it is adversely effecting research, and there is, I think, a sentiment that it is hurting research across all types of research and all phases of research. So it is a serious issue, I think, frankly, in the biomedical community perceptions over there, and I’ll talk more about how that plays out.

Compared to the U.S., electronic health records really are less of an issue, I’d say, just publicly. They just don’t get as much press as being that big a deal, and unique health identifier is not an issue at all. I mean, 330 million Europeans now have a unique health identifier card and they just don’t see this as an issue.

They are having a fair amount of debate over a mandatory citizen ID card in the UK, but it looks like the Prime Minister actually will be effectuating even that move in the next year for security issues.

Much less media intensity around the whole concept of privacy. It is just not really on the scanner in the same kind of way it is over here.

So what I am going to do is to talk - give a general background a little bit, talk very lightly about the legal backgrounds, issues of consent, anonymization and then, hopefully, there’ll be some discussion.

I think for the general view, they have a Horace model, which is their general information government’s model, and that basically is holding information. Should you be able to hold information? Obtain, did you get the information appropriately, properly? Is it recorded accurately and meaningfully? Using it. What are proper uses for the information. Who can you give it to and so forth, and sharing who else can hold it and who else should have it. So it is that basic sort of framework that they use.

I would say the ethics really are pretty much parallel between the two nations. I really don’t see that the general considerations - although we are otherwise separated by common language, I think on these aspects, we really are pretty much on the same page.

Now, the problem, of course, in trying to activate and really develop rules and regs and then have them actually work is that the kinds of things that come up in healthcare and such are so complicated and so multivaried it really is tough to, I think, create regs that allow things to happen, at the same time meet the needs. So it is difficult to codify.

Now, this shows you how much action is going on. There has been a huge amount of activity, and it is fascinating that, in general, you’ll notice that they actually got into this back in the early ‘80s, and, to some extent, that followed this country’s development of privacy regulations for government-held data, but because we don‘t have a national system, we didn’t put it into our private sector. Whereas, they have a national system, started actually getting into this for all of their systems a long time ago, so, in many respects, much like the NHII, they are kind of ahead of us in Canada and so forth, because they have been at it, I think, to some extent, picked up on some of the work, obviously, that they have done, but some of the work has been done in this country, too, but had a national system so they can move it forward.

In any event, as you can see, this is a busy slide, but it needs to be there because it shows you how much busy-ness has actually been going on really to this, and I’ll be going through some pieces of this going forward.

The legal background, there is the common law of confidentiality. There are these OECD principles that come from the members of the OECD. Going back, the Data Protection Act in 1984, and, as you can see, a continuing set of laws that relate to either European Union-derived activities or things actually that are the UK equivalents of some of those or spinouts of some of those going forward.

The key, I would say, piece of legislation was the Data Protection Act of 1998, which is essentially the UK version of the EU directive which really had to say, you know, how do you hold data? How do you use data, whether it is paper or digital? In fact, they don’t particularly discriminate between the issue of what is the form in which the information is held.

The Human Rights Act in 1998 was the start of an effort to even try to - if you will - sort of give people a - quote - right to a private life, if you will. It really wasn’t something that was even in the scanner ‘til that time.

Freedom of Information Act in 2000. Clinical Trials Directive and the Human Tissue Bill, which was a bill at that time in 2004 - it has now been passed into law. So, at this point, that is no longer a bill, but a law.

As I said, Article 8 in the Human Rights Act talks about giving respect to a private life. The interpretation of how this plays out is still not really clear, and, in fact, much of what is going on right now, it strikes me, is trying to figure out what do these laws sort of mean, and, as I say, that has had an impact on the research community, but it has an impact generally as well, as people are trying to figure out really how do we try to move these from the idea - much like the implementation of HIPAA, if you will. You start it, but then you have to figure out what’s this mean and how do people really sort of respond to it and how does it shake out.

There are a set of definitions and principles in this, and there are exemptions given for medical purposes. Now, one of the things that is interesting in that, the tricky part, is this Section 60, which allows you to exempt certain person-specific information to be used for medical research, but then the question is is how do you decide what the guidelines for that are and the mechanics of operating that, and they started this committee called the Patient Information Advisory Group to advise the Secretary of State on that. It applies only in England and Wales.

The issue is is that this PIAG has really had a challenge trying to figure out how to operationalize their work, and they are underway on that. They are trying to avoid a major backlog, but people are wanting to, obviously, move forward on some of those things, but exactly what will be allowed direct access and under what circumstances and so forth is still under play. There is no - right now, there is really not a clean, clear answer to that.

The principles are, though, that you either must have consent to - the data or anonymize the data. The purpose for the use of the data must be beneficial and proportionate. You must have effective security, confidentiality and data retention and disposal policies in force. So pretty much you have to follow the general guidelines, but within those, then, you can get access to data.

Now, I’ll have to say, though, having done research in the UK at this time myself and trying to get access to person-specific information for diabetes, chronic diabetes management in the Anglia region around Cambridge was tough because the point was that at that time, the hospitals - or the trusts, as they are called - didn’t really have any particular incentive to give you the data if they might later find themselves at some risk if they did, and so it was, frankly, just easier for them to just sort of say, Well, we think we probably shouldn’t do this, and so one of the problems, of course - and I think we see elements of that here, too - if you may be causing a problem, it is probably easier just to sort of say, Well, let’s not exposure ourself to a risk we may not need to have, and so the other social good sort of just somewhat falls to the side.

At any rate, there is a lot of other relevant statutes, laws mandating data sharing relating to communicable disease like we have, laws permitting data sharing relating to terrorism and road-traffic acts, laws prohibiting data sharing on certain specific conditions, and there’s laws on data subject to access to medical records and such. So there’s a lot of things out there.

Now, the common law of confidentiality is not written in statute. It is based on case law. It really can result in you getting redress for damages, but nobody is thrown in jail. I mean, you can be sued for breeches of things, but it is not seen as a criminal kind of thing, per se.

Very few cases that are relevant to medical records, and, in fact, generally speaking. This is not an active area of - really that active an area of law at the moment over there. There have been a couple of key cases that have played a big role. This source informatics case basically sort of said that - more or less - that if the data are anonymized it doesn’t even qualify as being of concern to anybody. The challenge, of course, is how do you do that, so that, in fact, that is accomplished, but the case basically set that sort of standard.

There are a variety of sanctions in all of these things. As I said, mostly, you can be sued for damages, but I would say fewer kind of - there are some cash penalties and such, not a lot that I think I’ll go into there.

As I said, there’s a lot of regulations, then, that play out against these laws and try to now move these things from sort of the law to what does this mean. All of these abbreviations are General Medical Council, Medical Research Council, British Medical Association. There’s - it plays out through an awfully lot of organizations and entities in society trying to deal with this, not just the government. In other words, it is really a government system interface that plays out at that point.

Obviously, this rather dizzying array of laws and regs is causing quite a bit of challenge, I would say, to people trying to, in fact, just get through their week and do their job, and so information governance, in practice, was an initiative that, now, at the moment, has been set aside a bit because of the effort to put in their information infrastructure, but, basically, what this was trying to do was to pull together a number of these related initiatives. Caldicort(?) Guardians are, for example, privacy guardians that sit in each of the trusts who essentially are a security officer on how data are used, but the idea was how can we actually bring a lot of these related initiatives into some coherence, so that, in fact, people have a little better help on working their way through it.

A tool kit was put together to try to access this and help the - Acute trust means those institutions that get acutely-injured patients and so forth, acute illnesses and such, but the idea was to extend it to primary-care trusts, to mental-health trusts, to GP offices in this next couple of years. As I said, I think this has been slowed up somewhat.

This healthcare commission ratings is the closest thing I guess they have to what we would call the Joint Commission on Accreditation for health systems, health organizations and such. It is a review of your activities, and they do see having part of your evaluation when you come up for accreditation relate to how you comply with some of these issues.

So the concept, basically, in the code is to try to protect data, try to inform people what the policies and procedures are and what their rights are, and, to the extent they can, provide choices to people, in a clear way, so that they can do it, and, then, hopefully, see this thing improve over time as sort of the model.

Anonymization, I don’t think, frankly, it is very different, really, from the way we kind of deal with it here from what I gather.

So I am going to close at this point. As I say, I’ve got some other slides there. Particularly, you might want to go to some of the websites and some of the readings, if you are interested in following up on some of these, because almost all the - either the legislation or the regs that I have referred to have websites associated with them that I think could be helpful.

DR. ROTHSTEIN: Thank you both very much. That was very helpful, and I know we all have questions. Let me just begin with two, one for each of you.

Mr. Sheridan, could you say something additional about contextual access criteria that has been or is in the development stage?

MR. SHERIDAN: Well, the contextual access criteria is going to be fundamentally driven by the privacy requirements of the particular jurisdiction. So when you say contextual access, you are talking role-definition access? Yes.

Those have been laid out and set aside as part of the 28 items that we have looked at, in terms of the security architecture, defining who has the role under what circumstances and under what particular conditions to be able to access the individual record have been set, and they are set basically in very broad definitional terms to basically define or at least respond to the definitions across the 13 various jurisdictions and their privacy legislations and their access to information and privacy acts, per se.

DR. ROTHSTEIN: So each of the jurisdictions is going to have a different framework for the contextual access?

MR. SHERIDAN: We are trying to define a common set of access and architecture that fits into the overall IEHR. So if you look at it in that sense, the proposal is to have a generic set that extensively covers off the major issues.

Will a generic set work across all jurisdictions in terms of their own individual access and privacy legislations? Probably not. Will it get fairly close? We think so. So at the high level requirement side of both the privacy and the security, we think that we are pretty close on those role definitions.

MR. SHERIDAN: You’ll have a much better idea in two months, when we come to the conclusion of the final process vis-a-vis the consultation on this.

MR. SHERIDAN: I would be more than happy to make that report available to the committee -

Dr. Detmer, could you say something about patient control of electronic health records or health-record information in general?

DR. DETMER: Yes, as I said, I think, at the moment - and this is going to change, I think, quite a bit in the next couple of years, but, at the moment, I don’t think there’s a big sense in the general citizen’s mind in the UK of discriminating between the paper and electronic record, and, in fact, actually, most patients - just generally, the whole consumers’ movement is such a different kind of dynamic in this country than I think it is in the UK that most patients really don’t really see an interest particularly in having their data or seeing their data. So that plays out quite a bit - you know - differently.

On the other hand, having said that, I think the basic regulations are in place to allow people to start acting in those kinds of ways, but, at the moment, for example, electronic health records are not something that most patients actually even sort of interact with or would even particularly think about particularly interacting with, and, in fact, the GP’s who have electronic prescribing, now, at the level of - you know - almost 90 percent plus - 95 percent - basically, write their prescriptions electronically, but those prescriptions don’t necessarily go through their system electronically. So, in fact, there is not necessarily a lot of transmission to pharmacy or apothecary, you know, to the Main Street pharmacist.

So the point is is that the system really doesn’t move a lot of data electronically or necessarily that much in paper, but the public is also not so much I think even alert to really be thinking about this that much.

DR. ROTHSTEIN: Would it be fair to say that the public in the UK is more concerned about consequential harms than, you know, intrinsic harms from privacy violations and more likely politically to address them directly by restrictions on the use of the information, rather than restrictions on access to the information?

So, for example, in life insurance, the UK has a moratorium on the use of genetic information in life-insurance underwriting where we don’t have that, and we would be more likely to try to regulate that by some access rule.

DR. DETMER: I’m glad you brought that one up. That is probably the only point on the genetic information and insurance discovery sorts of uses where this is of some issue in the general population and at least the press, the media. How much of it is actually - you know - at the citizen level, I am not sure, but that clearly is a point where there is debate, and it is being handled, I would say, quite differently -

It is interesting. It is good to get a comparison of different systems in privacy law sets, and a real simple question, I guess, to sort of balance, you know, our system against the British and the UK - or the UK and the Canadian system. I am going to give you a sort of - I am going to make a statement and then give you four different scenarios and ask you which would you prefer to be. Now, this is going to sound weird, but it is important.

If you were one of the following, would you prefer the U.S.’s privacy laws or the privacy laws of Canada or the UK? One is if you are a patient or a consumer concerned with privacy. If you are a hospital or provider of some sort. If you are a RHIO - somebody is trying to implement a RHIO or some other type of community-based record or if you are a researcher. Which - I mean, it is good to sort of get a sense of where we stand in the U.S. versus your countries on all those different areas. What would you prefer to be if you were in those four shoes?

MR. SHERIDAN: You know, quite frankly, I will say - I was doing a little background reading on the U.S. laws before I come up here, and the preliminary sort of preface on it was last year there were 3,000 different privacy laws either proposed or passed in the United States through various legislatures - state, federal, et cetera, et cetera. So I got a little discouraged at the notion of 3,000, and I will be quite frank and say that I do not know enough about the various privacy acts and the HIPAA acts and legislations in the United States to be able to make a comparable comment about - you know - which one of the sets of legislations, Canadian or U.S., do I think I’d be more comfortable with.

I can certainly say, in Canada, that patient-hospital RHIO equivalents are extraordinarily well covered in the provincial legislation that exists in the provinces with respect to medical records, who has access and how they get access.

I think researchers in Canada are probably - in terms of access to information around medical records and processing medical records - are probably at a slightly higher disadvantage in Canada than they are in the U.S., and I say that from - basically, from my statistical background, but I think I’m - that is a long way to avoid your question, and I apologize.

DR. DETMER: Yes, having actually - with Richard and Simon - sat through like 75 hearings on privacy some years ago, I think a patient isn’t a patient on this. So there’s such a broad spectrum of people’s attitudes and - you know - views on this, that, frankly, I don’t think you can answer your question as a patient.

I think if you are a patient privacy advocate, then I would say probably I would prefer the U.S. If I were a patient - you know - not in the advocacy kind of mode, I don’t know, frankly, where I’d come out. Probably wouldn’t be material to me necessarily. Sort of all be behind the screen, and I wouldn’t even be thinking particularly about it.

Practitioners, I’d say, tough. I guess I might go slightly for the UK, just because the whole thing is just not something that is kind of visible and it is not as thermal an issue at the moment.

From the RHIO side, I would say I would go definitely with the UK. One of our problems, unfortunately, is we tried to have interoperability with HIPAA, and we didn’t get it. We got 50 varieties, and we don’t, in fact, have national standing or stature, if you will, on our regs on this, and so the problem with - As we talked about at that time, at least you have a standard across the country in England and Wales. Whereas, you know, here, state law can preempt these things, and so we don’t really have a standard. I see that as a problem.

On the researcher’s side, I guess I probably would favor the U.S., unless you talk about stem-cell research. Then, you go to Cambridge to do it.

So, anyway, you know, again, I would probably need to think through that more to give more intelligent responses.

I was just wondering, sort of getting a level set from this committee. We always complain about the privacy law, and it’s just good to sort of get a sense on objective opinion as to the merits of HIPAA and the state law system versus -

DR. COHN: I think, in some ways, this is a follow on from John Paul’s question, which was sort of - I mean, he was obviously asking one place versus another, but I am sort of curious. I mean, both - It sounds like in Canada, definitely, and also I guess in the UK, there are both national laws and - in Canada - provincial laws. In the UK, I presume, there’s local privacy laws that may relate to this or not. No?

Okay. I’ll ask from our Canadian representative, and I guess I’m just curious from your perspective how much trouble or complexity are the various provincial laws adding to your work?

MR. SHERIDAN: I don’t view them as a set of complexities in the context of barriers. In fact, in terms of the various basic fundamental principles that are laid out in the jurisdictions’ privacy acts, they all, more or less, basically cover the same sorts of things and are basically intended for the same set of fundamental - you know - privacy and access issues. So it is not a barrier in that context.

The issue is quite clear in terms of the mix of federal versus jurisdictional acts is that health care is defined as a provincial and territorial jurisdictional right under the Constitution and the legislation.

So, on that front, as far as the legislative prerogative for healthcare records, those rest with the jurisdiction. So if there is not a mix in the context of federal and provincial in terms of actual healthcare records, the jurisdictional prerogative is quite clear. It is the provincial and territorial jurisdictions that hold those prerogatives.

So having - it would be - I think it would be a lot easier everywhere if there was one set that everybody actually agreed to and moved forward, but the realities that we are dealing with is that isn’t the case, and what we are trying to do is find a set of standards that are reusable and that jurisdictions will, indeed, say this makes sense in terms of our legislation, given what we have to do to have both security and privacy protection around health records.

So - and, once again - and this is probably sort of a silly question, but you are obviously creating sort of a national infrastructure with, obviously, local variation. If someone is seen in Ontario and goes to Quebec and winds up needing care, how do the rules work, given - I would presume that they are not the same, and how are you all going to figure that one out?

MR. SHERIDAN: Well, the access in that case, in terms of the definition of - would be one where the actual patient would define the consent or access to the particular information and to the particular records.

Right now, the Pan-Canadian Interchange of Health Information and Data is not at the fore of the issues of what we are trying to build, because we are moving these as jurisdictional models. So we haven’t come, I think, to that penultimate - you know - Pan-Canadian exchange of data and information, but, at the end of the day, it will certainly require that the care giver and the patient certainly agree to that exchange of data and those information profiles.

DR. DETMER: Simon, I might come back to a question that Mark asked me, because I think I somewhat slid by your question a little bit, so I reflect on it.

It is interesting that in terms of consent, an awfully lot of the UK still uses verbal implied consent without sitting down and writing these things and all this documentation and so forth and considers that sort of just fine. I mean, almost if the patient sees activities going on that relates to their data and don’t object to it, it is assumed that there is sort of an implied consent that it is fine to do this. Making all of this sort of explicit is not something that actually they are really particularly long on, which isn’t necessarily your question, Simon, but I think it is worth weighing in relative to your comment, Mark.

DR. TANG: I found it interesting that both of these countries - I think it’s true - the UK as well - are centralizing their data, albeit by jurisdictions or by regions, but there are central databases. That’s correct at UK, too, Don?

DR. TANG: And Don made the comment that the British are not that worried about the privacy aspects of that. Whereas, it is almost banned or outlawed in this country.

Do you attribute - You made a comment, Don, about it being perhaps the universal access or universal coverage as being one of the reasons that it has taken away some of the impediments of privacy concern. You think that’s what is going on in these countries that share that common - maybe it is a privilege -

DR. DETMER: Well, I don’t know whether to give a cultural, anthropological or political response to that.

I mean, I think - You know, according to Nora O’Neill - who has written, I think, a very compelling book called, Autonomy and Trust in Biomedical Ethics, University of Cambridge - America has gone totally overboard on individualism and lost all sight of collective good. That is a bit of a stretch for her thesis, but not by too far, and so, to some extent, I would say, you know, whether that is right or wrong, I mean, it is just a different way of looking at it.

I mean, I think the Europeans, generally, see themselves as sort of being proud of being part of a collective, not just in waving a flag and saying so, but actually have a sense of solidarity, just plays out differently, and I think it plays into that in the sense - you know - if this is what’s needed to see a health system work, then that is what is needed to see a health system work. I mean, you know, it is just sort of a different point of departure.

DR. TANG: So in Canada was there any serious objection to having centralized databases?

MR. SHERIDAN: Well, I think we need to be careful on - I need to understand what you mean by centralized databases.

The databases are not centralized into one, big, huge single database in the sky. The databases are being implemented in domains across a jurisdiction. So there isn’t one huge database of information, per se. There’ll probably be, as I said, about 25 diagnostic imaging repositories across the country for which the doctor or the facility can come in and get the diagnostic image, but the diagnostic image - So these will have to be pulled down to the actual screen face on it.

The diagnostic imaging won’t have the drug and lab information tailing off the back end of it. You will also have to make a call on the drug repository and on the lab repository as well to pull these down onto the screen. So it’s not one huge central database. It is, in fact, a set of common services with a communication bus(?) that will permit people to pick these data up from the various domain repositories as they require them.

DR. TANG: Okay. I was referring to central, in the sense of even within a province -

DR. TANG: - that will be still central, but I didn’t get the nuance that you’d have the PAX database, the lab database and the medication or pharmaceutical database. So you would pull it into your own - repository.

DR. DETMER: Paul, I want to add a trailer, if I might come back in on that. O’Neill’s comments, I think, are really kind of interesting. Part of the debate on the importance of having privacy controls on personal health data in this country has been that only that will create trust in the system. Whereas, from Nora O’Neill’s analysis, basically, focusing more and more on privacy actually erodes a sense of trust and even gets in the way of the doctor-patient relationship, because it just makes everybody more atomized in the society and less sort of collectively focused.

So, you know, I think that it is interesting that it was not an American who wrote that kind of philosophy, but I think it is a very different way of sort of looking at what is ultimately a common kind of issue in a way.

Mr. Sheridan, I guess I am fascinated by the 50-percent implementation rate that you try to have by 2009 and then the 85 percent acceptance rate. So kind of two questions.

One, how much money does, say, a general practitioner have to put in to become part of this, and then, second, how did you get an 85-percent acceptance rate? In other words, you got a slogan or what have you got? (Laughter). It might not play the same way, but we - You got a jingle? Yes, you got a commercial? What do you have?

MR. SHERIDAN: So on the - I think it was actually 87 percent, but on the 87 percent, that was basically the results of a national survey conducted for - I think we had three sponsors for it - Statistics Canada, Health Canada and Canada Health Infoway - and it was - the report from the survey is available publicly. I would be happy to share the results with you, but that is basically what Canadians said about where they were on with respect to electronic health records, and driven by a number of underlying agendas, including better healthcare, quicker healthcare, shorter waiting lines, et cetera, et cetera, et cetera.

So, in the context of - and, you know, it all depends - You’ve been around research each and every one of you. It all depends on the context of the survey, et cetera, et cetera, but I think it is probably a pretty good indicator, and if we were - we may want to take a re-benchmark on that, and I would expect the results, if anything else, would be - would even be stronger in terms of that.

Fifty percent of Canadians are in our electronic health records - basically the parameters that we have laid out for ourselves at this particular juncture in what we can afford to do in the time that we’ve got to do it, and that is basically where we have laid out our game plan to this particular juncture, you know, and for us, I think, the sort of the fundamental issues around this is we really need to have - we are in early days. We really need to have some success stories before we start taking a look at trying to recapitalize to talk about let’s get 100 percent of Canadians in an operable IEHR by a particular given date.

So that is just basically where the framework was laid, unlike our friends in the United Kingdom who actually got - it was sort of a single budgetary drop or - I believe it was 16-billion pounds.

DR. DETMER: Um-hum, 16-billion pounds. Yes, we’d be equivalent of $85 billion, I think, is by one translation that the U.S. would be if it were going to get at this -

MR. SHERIDAN: So it was a very large influx with a large amount of money at one time in one place versus the approach that we have taken, which is going to be incremental.

DR. ROTHSTEIN: Final question, Dr. Harding, who will pass, and in lieu of his question, I just have a quick comment.

If I had to guess the 85 percent would be basically a statement of confidence in the Canadian healthcare system by people who overwhelmingly like it, trust it and value the solidarity that is incorporated in the system.

DR. ROTHSTEIN: And we will now, without any interruptions, move to Panel IV on Regional Health Information Organizations.

DR. ROTHSTEIN: Okay. I believe we are ready to begin Panel IV, and I want to welcome all the members of the panel, and if there are no objections, we’ll go in the order listed on the agenda, beginning with Dr. Garber.

DR. GARBER: Thank you for this opportunity to inform the committee on what our RHIO in central Massachusetts has been doing to address issues of privacy and confidentiality.

I am Larry Garber. I am a physician of internal medicine at the Fallon Clinic. I have been there for 19 years, and the Fallon Clinic is a 76-year-old, multi-specialty group practice with 250 physicians at 25 sites in central Massachusetts.

I am also the Medical Director for Informatics there, and I have been doing that for seven years, and we are in the - leading in implementation of Epic’s(?) Electronic Health Record.

I am also cofounder of SAFE Health, which stands for the Secure Architecture for Exchanging Health Information. SAFE Health is developing software to run the Health information Exchange Network in central Massachusetts with the assistance of a $1.4 million ARK(?) implementation grant for which I am the principal investigator.

SAFE Health is a community-based project led by the three leading healthcare organizations in central Massachusetts, the Fallon Clinic, Fallon Community Health Plan and U Mass Memorial Healthcare System.

Fallon Community Health Plan is a not-for-profit insurer for more than 175,000 members. It has provided significant resources towards the SAFE Health Project, and is also providing to our RHIO claims history on medications, health-maintenance procedures and disease-management procedures.

U Mass Memorial Healthcare is central Mass’s largest not-for-profit healthcare delivery system with over 1,500 physicians in a multi-campus tertiary and community hospital network.

U Mass also has free-standing - clinics, long-term-care facilities, home-health agencies, hospice programs and mental-health services.

Committed to improving the quality of care, patient safety and operational efficiencies, SAFE Health is developing technology that securely stores, transmits, aggregates and consolidates the display of - consolidates and displays patient-specific health information, then entirely distributed, federated architecture.

Like other distributed health information exchange architectures, the patient’s protected health information resides behind the firewalls of healthcare organizations that are involved with the patient’s care.

What is unique about SAFE Health is that there is also a distributed federated master person index. So there is no central master-person index. There is no central storage of demographic information.

SAFE Health is also unusual in that it integrates decision support into the network to alert physicians to significant events, such as drug interactions or significant statuses, such as abnormal test results that are overdue for a followup or medication levels that are overdue for monitoring. This is particularly important to patient safety in the ambulatory environment.

Now, it is interesting to note that vendors who are selling e-prescribing software often tout the benefits that include drug-interaction checking and also that there won’t be any misinterpretation of handwriting when using e-prescribing, but in the ambulatory environment, where patients receive prescriptions from physicians in multiple, separate healthcare systems, drug-interaction checking may not involve the patient’s entire medication list.

Furthermore, we did a study with Dave Bates that was published in JAMA and JAMIA(?), which showed that there are very few adverse events associated with difficulty interpreting handwriting. To the contrary, most adverse events have to do with inadequate monitoring of drug levels or inadequate monitoring of common side effects, such as declining kidney or liver function. In fact, these were 10 times as common as drug-interaction errors.

So, now, you are sitting here thinking why am I talking about ambulatory medication safety when you guys are particularly worried about privacy and confidentiality.

Well, first of all, it is estimated that approximately 200,000 life-threatening or fatal adverse drug events in the ambulatory environment could be prevented each year by using systems such as SAFE Health. Furthermore, health information exchanges could also help reduce the approximately two million adverse events that occur nationwide each year as a result of fumbled handoffs as patients are discharged from hospitals. These injuries and deaths can only be prevented if patients participate in these networks.

This is extraordinarily important. Sixty percent of physicians practice in small groups of nine or less. As isolated islands of information, electronic health records have limited ability to prevent many of these adverse events. Integrating office practices with hospitals, reference labs, medication histories are crucial to saving these lives, but if patients don’t allow all of their health information to flow between healthcare organizations, they will continue to experience preventable risks to their lives.

So there are two general approaches that govern patient participation in these health information exchanges. The first is the opt-in approach. In this approach, patients give informed consent prior to allowing any healthcare information to be exchanged. This is analogous to what has historically been done with the paper record. Patient signs a consent, the record is copied and distributed to whoever needs it.

The problem with this approach is that it puts an onerous, albeit not impossible, burden on both the patient as well as busy office practices to obtain and process necessary consent for participating health information exchanges.

Patients will also prefer to be given options for conditional participation, such as blocking out perhaps just their mental-health information.

The opt-in approach requires all patients to give consent to all of their providers. In central Massachusetts, we have approximately one million patients, and most patients, on the average, will see one or two primary-care physicians through the years. They’ll see an opthomologist, perhaps another specialist. They’ve got a hospital that they go to, a reference lab, an imaging-system center, a couple of pharmacies. Maybe they have changed heath plans a few times. So there are at least 10 million consents that need to be obtained.

Now, if a consent takes one minute to be obtained and performed, that will require approximately 100 FTEs to process these consents. Nationwide, this translates into 30,000 new jobs, which may be a good thing or it may be looked at as raising healthcare costs.

More importantly, until all patients have tracked down all of their current and past providers to give the consent, patient records within the network would have numerous unpredictable holes in it, unnecessarily effecting the vast majority of the patients who had just not gotten around to give consent. This makes it difficult for physicians to predict what might be missing when a patient shows up with no medications on their medication list.

With this opt-in approach, it would take several years, if ever, to obtain the maximal safety benefit from health information exchanges.

Real world experience with the opt-in approach suggests that this actually may be overkill. The Patient Safety Institute’s Health Information Exchange in Seattle, Washington, involving the - Medical Center, they use the opt-in approach, and of the first 400,000 patients that registered, only four chose not to participate in the network.

Clearly, we need to balance the effort to identify this .001 percent of the population with the risks of the alternative approach.

The alternative authorization model is one that we will be using with SAFE Health. We call it the opt-out model. Following the approach that HIPAA takes, we will update our privacy notices as well as do advertising campaigns to educate patients in central Massachusetts about the SAFE Health Network. We’ll also instruct patients on how they can opt out from participation.

We are establishing four different opt-out alternatives. First is the ability to block particularly sensitive information, such as those related to mental health, substance abuse, HIV, STDs. Second is just to block information generated from particular providers. So perhaps psychiatrists or psychiatric hospitals. Third is to block certain facilities from being able to receive information on certain patients. This is particularly for employees of healthcare facilities who go elsewhere for their care and they don’t want their colleagues and coworkers to know their information, and, then, finally, is the option to not participate in the network at all.

This opt-out approach has several benefits. First is that the 99.999 percent of patients who want to participate start receiving benefits from the moment the network is set up.

Second is that physicians using the network will feel more confident that the data that they are seeing, in most cases, are complete.

Third is that the administrative burden related to processing opt-outs is dramatically less than that required to process opt-ins. It does make it more likely that physicians will be willing to join the network.

There are, however, several issues relevant to either approach. First, it is difficult to block just particularly sensitive information. While you can identify some lab tests and medications, it is harder to identify textual notes that can contain this information. Natural language process is something that we are looking at. It is the ability for computers to actually understand what is in the sentences, but the fact is it is really not completely adequate at this time to screen out sensitive notes.

An alternative that we are also trying to use is to screen out sensitive notes based on either the specialty of the author or billing diagnoses associated with the visit or admission. This approach isn’t perfect either.

For instance, a primary-care physician may take a history about a patient with depression, put that in the note, but it is very possible that will not use a billing diagnosis of depression, and the reality is this is no worse than the paper world.

So, currently, in Massachusetts, we are required, in our consent forms, to have three sections, one for regular releases, one for release of HIV information and one for other confidential substance-abuse, mental-health issues, and when patients only select the routine release without the specially-protected ones, very often, in the body of many notes, is some of this protected information, and it gets released. It happens every day.

Another problem that arises from the very successful blocking of specific pieces of information are things like, for instance, MAO inhibitors, which is a kind of anti-depressant that severely reacts with numerous medication. So when MAO inhibitors are blocked from the medication list from viewing it is very possible that a physician could prescribe a new medication with adverse consequences.

SAFE Health has taken a unique approach in that the blocking only blocks the viewing of the information. We have decision support running on the background of the network that still sees the full medication list, so that when a medication is prescribed, if it interacts with a blocked medication, the prescriber will be notified that there has been this interaction with a blocked medication, and that they need to follow up with the patient and we can unblock so that they can see what is going on. This way, both the patient and the physician are protected.

Realistically, this blocking of particularly sensitive information is suboptimal in that patients may feel that this is 100 percent foolproof, when it is not, and we are going to educate them about that.

Also, physicians may not feel that they are adequately protected.

It should be pointed out that HIPAA privacy and security regulations are very supportive of RHIOs and health information exchanges, allowing for the transmission of all patient information for purposes of treatment, payment and operations between covered entities without prior consent, but HIPAA is just the floor or minimum requirement. It is often superceded by other state and federal regulations.

For instance, there is a federal regulation for health plans requiring prior consent - essentially opt-in - for particularly sensitive data. So the medication histories that we are getting from the health plans and for those that are delegated to the PBMs can’t be given without prior consent, and that is certainly problematic as patients show up in the emergency room.

I want to take a moment to be clear about what medications fit into this category of particularly sensitive. In Massachusetts, we have made a list. We have gone to the health plans within Massachusetts and we have looked at all of the medications that are classified by the health plans into this category and grouped them together. So besides antidepressant and HIV-related drugs, you’ve got diet pills, some cold medications, birth-control pills, sleeping pills, most seizure medications, Ziban(?), which is something we prescribe for smoking cessation and Compozene(?), which I’m not sure why they put it in there, but it is commonly used to stop vomiting. Thus, many commonly-used medications will be missing from the medication list by default as a result of this regulation.

This, indeed, has been the frustrating experience of physicians who are part of Mass Share’s meds info ED project, where medication lists are delivered from PBMs to three emergency rooms in Massachusetts right now.

State regulations also supercede HIPAA. In Massachusetts, as mentioned before, we’ll need to make efforts to block by default all textual notes that may contain this particularly sensitive information. Even more complex, however, is that regulations differ from state to state. Look at how we deal with disclosing HIV-related information in New England.

Massachusetts prohibits any disclosure without prior informed consent. New Hampshire let’s physicians notify blood banks without prior consent, and Rhode Island and Connecticut allow disclosure without any prior consent as long as it is DPH or healthcare professionals who are directly involved in caring for these HIV-related patients.

So this is a RHIO nightmare and it would dramatically undermine the effectiveness of a national health information network if the entire country would have to revert to restrictions of the most conservative state. Several RHIOs have had to - their rollouts because of these legal issues and the legal fees associated with them trying to work through the regulations.

In contrast, if HIPAA was the accepted state and federal rule for operating RHIOs, and the National Health Information Network, instead of just being the floor, these specially-protected categories could be transmitted in both the patient’s best interest as well as the physician’s best interest without fear of lawsuits.

Physicians would have reliable access to a full complement of patient information for the vast majority of patients who would prefer that anyway. Opt-outs could be offered to the extent that it is practical for the small minority of patients who so choose. Protections already specified in HIPAA provide the necessary associated requirements with respect to authentications, audit trails and punishments for breech of privacy and security in order to further safeguard protected health information.

So, in summary, RHIOs have the potential to prevent hundreds of thousands of injuries each year. However, in order to facilitate the creation of RHIOs, and, thus, the National Health Information Network, while providing the optimal healthcare to the vast majority of our citizens, HIPAA privacy and security regulations need to migrate from being the minimum requirements to becoming the standard across the country.

Since this hasn’t happened yet, we just unnecessarily killed another patient during my testimony today.

Thank you.

DR. ROTHSTEIN: Thank you.

And, now, we will go to Dr. Lewis.

DR. LEWIS: Thank you, Mr. Chairman. I appreciate the opportunity to be here today to describe some of our experiences and challenges in addressing the sharing of personal health information along with the privacy issues for low-income, uninsured individuals.

We have actually found that this is even more complex than some of the challenges that you have already heard.

I think, to give the committee a sense of where my observations are coming from it may be helpful to start with a little bit of personal background.

My first formal exposure to personal health information and privacy actually predates the privacy Act of 1974. At that time, I was at the NIH Clinical Center, and we were seeking approval to begin work on a comprehensive clinical-information system to support the patient care and clinical research at the NIH clinical center, so that my commitment, really, as a strong proponent of both sharing information and privacy goes back a long way.

That particular system was - those of you who are familiar with the NIH are aware - had very little to do with billing, very little to do with fiscal management, nothing to do with insurance. It was strictly a clinical-care and clinical-research system.

I think the context in which you may want to consider my remarks are the challenges of building a mini-safety-net-oriented RHIO for low-income, uninsured individuals.

Many of the themes that you have heard, with respect to privacy and confidentiality and the benefits of data sharing, apply equally to the under-served populations, but there are really three points that I’ll touch on as we go forward, but, in order not to keep you in suspense, we’ll share the conclusions at the beginning.

The first is that data sharing is considerably more critical for the uninsured than it is for insured populations.

The second is that we have found that it is more difficult to build trust and, therefore, to build the confidence in data sharing that would facilitate that.

And the third is that automated matching is much less reliable, and, therefore, much more problematic, so that the sort of database and analytic engines, master patient index, technologies and algorithms are much less effective in that environment than we would like them to be.

To give you a little bit of background on the service population, the Primary Care Coalition is a - really a compendium of non-profit organizations in Montgomery County that are oriented to supporting one another to try to deliver high-quality healthcare for the 80,000 uninsured residents of Montgomery County.

There are about 10 independent safety-net clinics in the county, some faith-based, some linguistic or culturally-based, that have come together to form this organization, as well as a clinic that has D.C. as well as Maryland affiliations, and we are about to begin operation in a non-profit clinic in Virginia. So that gives you some sense of the regional aspects, which are important in terms of some of the ancillary challenges, such as cross-jurisdictional laws, different - many different providers.

Montgomery County is interesting in a hospital sense in that there is no university hospital and no public hospital. They are all - there are several non-profit community hospitals. So it is a little bit different environment from what you find in some sites.

Our approach has been to try to leverage IT through a small center that we set up that we named the Center for Community-Based Health Informatics. Sometimes, if you name yourself, it helps you focus on what it is you are trying to do, and so our notion is to see if we can use technology in the low-income, uninsured population.

We started with a HERSA(?) cap grant for infrastructural purposes that led to the development of what we think of as a thin, broad electronic medical record, where connectivity patient identification in the concept of sharing data among the partners was really the beginning point, and if you think of these clinics as being a notch below the FQHCs in terms of funding, in terms of medical resources, in terms of facilities - with anything else, then it will sort of put you in the context of why we wanted to start at a very basic level.

These clinics essentially form a sort of virtual system of care, now, handling about 80 percent of the safety-net visits that occur within the country.

I should add, just on the bottom line, that having spent 34 years at the NIH building high-end clinical systems, high-end clinical research, electronic health records, it has been an interesting - an eye-opening even to discover that there are people three or four miles from NIH who have no care, no access to care and really not well funded. So it has been an interesting, and, I think, rejuvenating personal experience for me.

I’ll touch quickly on - and actually, I won’t read this slide in detail, because I think many of you are familiar with the concept, but other things that happen in the world effect our ability to convince people to share health data. For those of you who had a chance to look at the Washington Post today, Citicorp managed to lose another 3.9 million account holders. The summary says that that is six million in the last six months, individuals in the U.S. who have had personal financial data compromised, and you can’t recall that data. You can change a bank account. You can recover the funds. You can do some of the - the legal profession is not my forte, but it is very hard to undisclose your personal health record.

My favorite example of inappropriate use in the last few years really was a well-known Midwestern railroad that decided to do DNA testing, unannounced, of its employees for what the Director of the National Human Genome Institute described as junk science to try to find a correlation of their DNA with very rare neurologic syndromes that can be associated very remotely with carpal-tunnel syndromes, and no one - and, clearly, this was done as a way to avoid Workmen’s Compensation claims. It clearly wasn’t something conceived of by a nurse or a technician in the medical department, and it is an example of, I think, the kind of activity that makes it harder for me to convince low-income patients that they should share their data.

Dr. Detmer referred to it briefly, when he talked about why there is less conflict in the UK. Among our patients - and sometimes low income, uninsured is equated with immigrant populations or even undocumented immigrant populations, but that is actually not true. Many of our patients work for small businesses that can’t afford health insurance, and if you look at the insurance environment, if you are a small-business employer, a plumber, an electrician, you have two or three employees and one of them needs a heart transplant, you may have to drop your insurance program because you simply can’t afford the premiums in the next year.

So disclosure of health information leads to social ostracism, job loss, insurance questions and so forth, and even occasional much worse activities.

I think the - I’ll just finish this slide by saying it is as private as financial data, you know, clearly is not adequate.

Dr. Detmer and I did not rehearse our presentations today, but I did want to touch on some things that were helpful to us from the UK experience in thinking about how to approach it.

The first - and Dr. Detmer shared it - is that there’s a very high level of trust in the National Health Service by the citizens of the UK, but, in spite of that, a study done two or three years ago showed that only eight percent of the people that they interviewed were comfortable putting all or a lot of their data into a shared electronic health record. I think in the U.S., it is probably - there is probably a lesson there that it might be even more difficult.

So the UK, in some subsequent activities, made some attempts to reduce the skepticism. One of the things that is interesting to read is a care record guarantee that they put together. It is written in non-legal language. Anyone can read it and understand it. It talks about what won’t be released, what will be released, and it begins to get at notions of patient control, I think, in a high-level way that was helpful to us in thinking about how to approach our low-income populations.

First is a notion of assent, what you agree to release. The second is a notion of dissent, what you don’t want released from your record, and the third is an institutionalized notion of a dissent override. There’s certain things that really must be released. Data for public health, communicable diseases have certainly been the traditional one, but there are other sources of - other kinds of data that need to be released as well, because they put people at risk. If you think of HIV-positive patients going to their dentists and perhaps that is information that some states would judge should be released. Massachusetts apparently doesn’t feel that way, but I think it is a notion that is a very constructive one to discuss with a patient, because it allows you to talk with them about why information should be released in a very non-abstract, very meaningful way.

I think HIPAA is probably not well understood by anyone. Part of the fun we had working the legal profession was to try to get multi-jurisdictional sharing agreements among our 10 safety-net clinics with respect to legal sharing of data. This was using a law firm that was actually recommended by the Federal Health and Human Services Department as being experienced in the area, and even there there was - that was probably the most expensive single item in the development of our shared electronic medical record environment.

So I think asking the question of whether HIPAA has actually engendered trust or, to some extent, inhibited trust, is worth asking.

I’ll finish up by talking about the early experiences with our safety-net RHIO. As I mentioned, one point for discussion is our assertion that data sharing is considerably more important for the uninsured. There’s specific patient factors, including the tendency of the patients to choose multiple providers. There is less likelihood of a medical home, significant use of emergency departments for primary care, and then site-driven changes, care-site-driven changes, migrant workers across the region, frequent job changes even for low-income individuals within the region, and the reason I mention housing changes is because of a comment at the bottom of the slide. We have uncovered some interesting factors that others know about as well, but a home address, for example, is not very useful, often, for tracking patients, particularly if you have, as is true in some of our Virginia jurisdictions, particularly, illegal numbers of people living in the same house, then you almost never get a correct address in that circumstance because of fear of retribution.

Just as some examples - and these won’t be new to any of the committee members - but one of our hospitals cited an expensive, dangerous workup they had done on an emergency-department patient that they then discovered had been done a week before in an emergency department across town. Now, I emphasize the dangerous. It is not just the cost. It is a patient-safety issue.

Patients concurrently seek care in multiple jurisdictions. If they get sick at home, they may go to one clinic. If they get sick at work, they go to another clinic. If a clinic loses a language translator, then they go to still a third clinic. So it becomes difficult to build trust.

Again, we find that - and if you look at the bottom of the slide, first, we find that a voluntary approach has worked very well for us, that if we actually sit down and take the time in our clinics to build relationships with the patients, even when the provider may be different each time, we have had quite good success at the patient’s - having the patients understand, and, therefore, agree to the benefits of sharing their data.

If we do it as a top-down approach, it really doesn’t work at all, for all of the reasons cited at the top of the slide - cultural biases, immigration status, the difficulties of conveying trust, legitimate historical reasons to distrust the system, language and educational barriers - and the consequences of distrust are quite evident in these populations particularly. They tend to forego medical treatment requiring expensive care later, and also the risk to all of us as a public-health issue if appropriate information isn’t shared.

People like to cite bioterrorism. Really, my bigger fear is the introduction of things like multiple drug-resistant tuberculous into Montgomery County by a very easy hop, skip and a jump from Central America into the chicken-and-strawberry fields of the Eastern Shore and into the Washington area. This is a two-, three-, four-day transit in some cases, and I think, statistically, that is a much larger risk.

Some quick comments on why we found automated matching to be more problematic, and one of the groups we have worked with actually is a group called the Open Health Records Exchange, which is experimenting with a variety of matching methods to try to develop reliable algorithms for these populations, but it starts with the fact that there is no insurance ID. If you look at some of the MA share work, insurance ID’s, pharmacy-benefit managers are their main source of information about medications. That simply doesn’t work here.

Cultural naming conventions. We’ll have - people may register perfectly honestly under different names on subsequent visits to the clinic. That is where you get into the less-honest ways for registering under different names.

Frequent changes of address and phone numbers.

Unknown birth dates. You would be amazed at the number of people who were born on January 1^st when you do a histogram of our birth dates.

Multiple occurrences of the same patient even in the same clinic, so that the certainty of the match goes down. There are problems of false inclusions and false exclusions, and, again, I have mentioned the examples, so I won’t bother you with them here.

The global considerations on this slide are basically the same ones you have heard before, but what I really want to emphasize is point 3 and point 4 that a national framework that could then be implemented locally would be very helpful. When the framework keeps changing, it is quite different, and, unlike the previous speaker, I am not sure that, in my point 4, that HIPAA is exactly where would start. I think a clearly-worded something in the form of a guarantee - Now, I realize that guarantee is a difficult word and it isn’t quite the - it is not quite the word I am looking for, but something that approaches that in that notion with appropriate penalties for people like railroad CEOs that think - anonymous - think that not-informed-consent DNA scanning is a good idea.

I’ll just finish with the three safety-net challenges that I think are different in our environment. Data sharing is considerably more critical for the uninsured, but it is more difficult to build trust, and therefore, to share data, and that automated matching is thus reliable.

On your printed handouts - I’m not sure if they made it to this one. No, they didn’t. On the printed handout, there are also some references to sharing agreements that we developed for use in the clinics that have been actually fairly widely requested by other clinics.

I’ll stop there. Thank you.

DR. ROTHSTEIN: Thank you very much.

We’ll be back to you with questions after our final witness, and that is Dr. Root.

DR. ROOT: Thank you for inviting me to be here.

I have to apologize because I got caught in that rainstorm yesterday. I hear it rained here, and I ended up in Minneapolis and my luggage ended up someplace else, and I still haven’t reconnected with it, and all my handouts and everything are wherever my suitcase is. So the best I can do for you is to read off my laptop. So I apologize for this sort of primitive presentation, but it is the best I can do.

Thank you for the opportunity to share some of UHIN’s experiences in the area of privacy and security. My name is Jan Root. I am the Assistant Executive Director. I noticed in here it said, Chief Privacy Officer. I am also the security officer. We employ all of, I think, eight people, so we wear a lot of hats. I have been with UHIN since its inception about 12 years ago.

I am a little bit outclassed here, because UHIN doesn’t actually share clinical information right now. We share administrative information, which, of course, contains clinical information. So most of my comments are based on the experiences that we have had in the administrative arena. We are moving into clinical, but we are not there yet.

We are a small not-for-profit company. We securely transmit administrative healthcare information between entities through a central internet gateway. UHIN and its members believe that the entire healthcare record should be kept private and confidential, and we take our privacy and security responsibilities very seriously, and we encourage our members to do likewise.

We were first incorporated in 1993, as a Utah not-for-profit corporation. UHIN was born of the Community Health Information Network, CHINs, CHINs. Remember CHINs? Do any of you remember CHINs? Yes, okay. CHINs, yes. We are CHINs. That is where our name comes from. We are one of the few that are still alive.

Our purpose is to provide the consumer of healthcare services with reduced cost, improved healthcare quality and access. We do this by creating and managing a value-added network, developing standards for these exchanges. All the participation in UHIN is voluntary.

Whenever you get your handout, you will see there’s a section there about UHIN’s structure. The membership is very diverse. We have a lot of competing entities - pair organizations that compete with each other, provider organizations that compete with each other, government, consumer groups. Because of this diversity, we made three important decisions at the beginning that I think have an impact on what we are doing in terms of privacy and security right now.

One, we are a value-added network, not a clearinghouse, and the distinction is very important. We don’t open the envelope. We don’t massage data. We don’t save data. We don’t store data. We are like the Post Office. If I can read your handwriting and it is a real address, I ship it. Okay? If it is garbage, it is not my problem.

The way we do this is we develop community standards, since the receiver needs to know - this is an electronic message - need to know what is coming down the pipe, the community got together and created standards. We have about a million hours, we estimated not too long ago, that has been donated by the community. You know, we sit around a table like this and we say, Okay. We need to create a standard about - you know, whatever the community wants to create a standard about. I take really good notes, and, through a rather lengthy process, we create a community standard that works for everyone. That is the goal is to create a very practical working standard.

We have also been very active on the national scene at X12, HL7 and at WEEDI(?). We have encouraged a lot of our members to participate there as well.

Another thing about UHIN that you should know is that we are run on a consensus basis, not majority rule. It creates some very different political dynamics to do a consensus-based organization. We did this to encourage adoption and to ensure that one entity would ever control the company. Instead, it truly is controlled by the community.

We are a community-based organization, and we have a commitment to serve the entire community, from the very large entities to the very small entities, and, as a result, we often use technology that people kind of laugh at.

When we first started, for example, we used a dial-up system. We had hours and hours about how do you standardize Kermit(?). So that everybody could use Kermit the same. We are up to an internet now. We are doing better.

We do have connections to over 1,500 end points. We connect about 20 national clearinghouses and about 400 national payers. So we handle about 50-million transactions a year right now. We have ben very successful. We are completely self-sustaining. Okay. That is our background.

CHINs, like I mentioned, we were a CHIN. It is just interesting, when we wrote the ARK proposal, the current term then was LHII. Now it is RHIOs, and I recently heard SNOs, Subregional - Subnetwork organizations, SNOs. That was at the Connecting for Health meeting a couple of weeks ago. So I don’t know what it is really called. I am going to stick with RHIOs for right now.

It is interesting because CHINs were created to solve the same problems that RHIOs are being created to solve. It is really not a different thing. Just a different name for trying to reduce costs, improve care and improve patient safety.

As you know, the CHIN movement was largely unsuccessful. Most of the CHINs didn’t survive.

We believe UHIN was successful, though, because we focused on creating value and we focused on creating trust. I think all of us have talked about trust. This is absolutely essential to our survival.

Our vision, even though we have had a history of exchanging administrative transactions, we have always anticipated that at some moment in time we would do clinical exchanges. This seems to be the time to do it. Certainly is a lot of it nationally. Witness all of you sitting around here.

Our vision is to extend our current network. We have a redundant, multi-site, state-of-the-art internet gateway for administrative exchanges, broadband on demand, constant monitoring, performance security, all that stuff, and we want to add a little bit to it to handle clinical exchanges.

We anticipate that we are going to develop a statewide master person index and probably a statewide master - we don’t have a good name for this, but clinician/facility/provider, something like that, index, and we are considering what the Connecting for Health folks are calling a record locator service, but we haven’t made a firm decision on that one yet.

We do not anticipate any centralized PHI database, at least it doesn’t seem to be a politically viable suggestion in Utah.

So our primary challenges right now are, one, develop a sound business model for clinical exchanges. It is rather prosaic, but, first and foremost, UHIN is a business that has to stay alive in order to provide service to the community. So we have to figure out how to fund this in a reasonable and appropriate way.

Also, we need to create or adopt necessary standards, and we need to address some new issues in privacy and security. So what is new? You’d think we’ve been doing this for 12 years, we would kind of have privacy and security nailed, right?

Well, what is new for us - Okay. You have to remember we are a RHIO. We are not a doctor. We are not a payer. We are not a hospital. We are a RHIO. What is new for us in the patient. Okay?

For those of you that got to go through HIPAA like I got to go through HIPAA, the patient largely wasn’t in that conversation a whole lot. Patients don’t really care a whole lot about how their claims get paid, as long as they are not harassed. Long as you do it, they don’t care.

So for us, as a RHIO, as a CHIN, as a whatever you want to call us, the patient is a new element, and so we are having to learn how to figure out how to interact with the patient, which is really going to be a challenge.

Our goal is always to be a trusted and neutral third party in the community, and the community trusts us with actually two kinds of information. So I want to talk about both of them briefly.

One is PHI, but the other is proprietary information about our members’ businesses. It is UHIN’s highest priority to protect both of these types of information.

Let’s talk about PHI first, and remember, we are coming at this from a 12-year history in administrative exchanges, all right? So this may sound real obvious to you, but it was an eye opener for us.

One of them is that we are learning is that health data is health data is health data is health data is health data. It doesn’t really matter whether it is a claim or a pharmacy prescription or a lab result or a whatever. It is all the same stuff, and so we have decided to treat all the information that flows through our network equally. It’s all protected under HIPAA, but we had originally thought that, well, you know, this is clinical data. Somebody might die. We need to be more careful, and we have since said, No. It is all going to be benchmarked at the same spot.

The second lesson for us - and this comes from our history as a CHIN - is that RHIOs - at least RHIOs in Utah - should not function as central PHI data repositories.

We know we hear a lot of discussion about centralized data repositories. We certainly hear them at the Connecting for Health meetings, and there is a lot of good reason to do that. It is a lot easier technologically. You can get a lot more bang for your buck and so on and so forth.

We heard all these discussions during the CHIN movement. For those of you that were around then, I am sure you heard them then as well. Basically, the argument is that somebody needs to do it because it is a good idea, and the CHIN or the RHIO looks like a good, logical and very convenient place to do this.

Our thoughts about this are that the first task of a CHIN or a RHIO is that they have to be trusted entities. If they are not trusted, they don’t survive, and the trust that is necessary to keep a RHIO alive just doesn’t thrive in an atmosphere of controversy. It just withers.

When we look at central data repositories, they inevitably, at some point, seem to engender controversy about a whole variety of things, particularly when you use them across competing organizations. Several of the early CHINs foundered upon this very issue. They developed central data repositories, and the various entities decided they wanted to use them differently, set up different evaluation criteria, and it was their undoing.

Our observation then, and now, is that whoever holds this data repository, if you decide to do that, has to be a pretty bulletproof entity. CHINs and RHIOs are not really very bulletproof, because they are community organizations. They are coalitions. So they are inherently kind of fragile, right?

It is not that a central data repository is bad, you know. I am all for it, if you can figure out how to do it. It is just that we don’t think that the RHIO is a good place to do that because they are rather controversial.

In Utah, we do have a solution. We do have a central data repository. It is held by the Health Department. Okay. The Health Department is pretty bulletproof. They have taken it on the chin many times for this data repository and done a wonderful job with it, but it has been a very difficult row to hoe for them. So we have managed to keep UHIN as the entity that maintains the community trust, brings the value, maintains the network allows this information to be exchanged, and then the Health Department is kind of the gladiator that has fought the battles to use this information in a wise and kindly fashion.

I would like to talk a little bit about patients. As you know, patients certainly aren’t a new factor in healthcare, but they are a new element for us. As I mentioned, patients just weren’t a whole lot involved in the HIPAA conversation. Some of you were at X12 with me, all the years of going through X12, and it there wasn’t a whole lot of discussion about, Well, what do the patients think about to use an ICD9 code or this or that? Nobody really cared.

That is really not true now. Patients, at least in Utah, seem to care quite a bit about this. We have a consumer advisory work group that we have started, and we are definitely very much neophytes at this, and I was really listening to your comments with great interest because one of our biggest supporters right now is our local community health network. Community health centers are very, very interested in trying to utilize this system we are bringing up.

There’s two things that we are seeing coming out of this consumer advisory workgroup, and I should tell you that this group is mostly composed of people who work as patient advocates or just low-income advocates in general.

One, consumers don’t appear to be very well versed in just regular old clinical exchanges, stuff that happens right now. They don’t know that you can put a diagnosis on a prescription. They were outraged. What do you mean you can put a diagnosis? You know, the pharmacist has no right to know that. Ta-da, ta-da, ta-da, and you’re like, Well, think about it. You know, and after a while people calm down, but there has been this consistent surprise that all this stuff gets exchanged, albeit very poorly, but still that it gets exchanged at all, and so one of the things we are concerned about is that we might have to do a pretty good educational program on just what is going on right now in order that when you do it in electronic there isn’t this perception that somehow this electronic thing is new and, therefore, dangerous.

The second thing we are seeing is that consumers do have a very high level of interest. We have been around and talked with several groups, and everybody gets very exercised over this. Part of it, again, is I don’t think people are very aware of what is going on right now, but there is also a constituency that wants to micro-manage the exchange of their health data, and while I don’t know if that is even doable or not, we certainly have to be willing to listen to people that do want to micro-manage their data, because some people do.

The one other kind of information that we are entrusted with is proprietary information, and, again, from a RHIO perspective, I just want to mention that - you know - we are a - neutral third party, and we work with all portions of the healthcare market, and, as such, we often hear about a member’s business plans or their strategies to how to out-compete this person or that person, who also sites on my board - okay? - and we have to keep all of that extremely confidential, and that is an absolute drop-dead requirement for the success of a RHIO.

As has been mentioned here previously, we have great concerns about the lack of privacy standards when you cross state lines. It was interesting. Several of our board members, actually, this group came to Salt Lake City once quite a while ago and interviewed people, and a couple of our board members testified, and one of their issues was this difficulty about a lack of privacy standards, and, basically, they were just sort of told to deal with it.

They were mostly payers, and, you know, payers are bad guys, but, now, it is not payers anymore. It really is about patient care, and so we would like to make a pitch for the committee to reconsider the idea of standardizing privacy across the country. I totally agree with everybody’s comments here that unless you do this, it will greatly hinder the ostensible goal of a national health information organization. It is just not possible to keep all this stuff straight. It is just not.

From a security perspective, understand that UHIN operates a front-door-to-front-door service, okay? I’m the Post Office. I pick up mail from your mail box. I drop it off in yours. I don’t go in your door, all right? That is not what UHIN does. Several other emerging RHIO organizations do go inside of people’s offices, but you UHIN does not.

So we have taken security and we have divided into two hunks. We have security that is the pipeline. Okay. That is our problem, and then we have security that is inside the member’s facility. That is your problem or that is their problem. All right? That is how we split it up.

So our responsibilities are for managing access, and the reason I am bringing this up is I am hoping that, essentially, at some point, we’ll get some kind of standard for how RHIOs are supposed to operate on a security level, because this is going to be another critical issue for the success.

We have to authenticate new members. In fact, I had a thought. What was the company that they were being scammed because a regular customer turned out to be a front for some - Right. I was just thinking, we have to be careful, because what if someone in Utah comes to us with a tax ID, looks like a healthcare, like we need to be more careful about this.

Luckily, Utah is pretty small. So if they are not a real healthcare provider, we’ll know it pretty soon, but that strategy is not going to work here on the East Coast.

Anyway, we need to authenticate new members’ control access and monitor security of the pipeline. In your handout, there’s details about how we bring new members up. We have everyone sign an electronic commerce agreement. It is all uniform and they get a trading partner number, logon and password. They are the only persons that know the password. The password has to comply with our specifications, you know, eight characters, ta-da, ta-da. Have to be changed four times a year.

One of the suggestions we would like to make here is that, in terms of standardizing security and privacy, is that RHIOs be EHNAC certified. EHNAC stands for - if I can do this - Electronic Healthcare Network Accreditation Commission. Bingo.

What EHNAC does, it is kind of like JAKEO(?) or NCQA or one of those national organizations that is trying to set very high level professional standards for clearinghouses and value-added networks, such as ourselves. They offer a certification. It is rigorous, I can tell you. We just went through it. I twas a lot of work. I twas very difficult to achieve a certification.

We would like to suggest that the committee consider - you know - I don’t know exactly who is going to ever define RHIOs, but if they ever are defined that EHNAC certification be part of that, because they are all clearinghouses or VANS(?). They all exchange information in some fashion, and EHNAC has some very good security and privacy criteria.

One of the things, of course, that we do is we encrypt. We encrypt. We are compliant with CMS’s internet security policy. We require all of our members to have a very short list of browsers. There’s not a whole lot of them that do 128-bit encryption, and the handout - when I get that to you - has got the details there.

We do have a kind of an interesting PKI design. I’m sure - I know. We are running out of time. Sorry. I am almost done.

We manage about 1,700 endpoints with about 20 keys. So, again, if you are interested in learning how to do that, I can tell you at a later time, but it works quite well. It is a doable PKI. In terms of member responsibility, as I mentioned, all members are responsible for security within their own facility, and privacy, too, for that mark.

One of the things we are concerned about, you know, we do realize that clinical information does have possibly more dire consequences, if you misuse it, than administrative. I mean, if you misuse administrative, you get accused of fraud, but you misuse clinical information, you kill somebody.

So one of the things we are trying to do is to take the HIPAA security rule, which is just generic, and actually create some specific technical specifications for small provider offices that are implementable, reasonable, appropriate, don’t cost an arm and a leg.

We did have an interesting anecdote. One of the products that we are bringing out recently actually allows physicians - you know - credentialing. Everybody know what physician credentialing is, where you go to the payer, get on their panel?

We have created a product whereby physicians can put their credentialing database into a single database and then they control access to it, and when we started to trot this out, all of a sudden the small doctor offices are getting a lot more interested in security, because it is now their personal information. So maybe that’ll help. We’ll see.

I would like to encourage, again, standardization across the RHIOs. We hope that the RHIO connection, the national health information organization, will be a hub. Hubs make it much easier from a security management perspective. You don’t have as many entities to authenticate to. You can also create - it creates an impetus to create a standard architecture to - across the RHIOs through the hub. We know that standardization is not easy, but we really think it is important to make any kind of national health information organization economical to run, and trusted.

We use SSL, server-to-server keys. We hope that that would be considered as a standard. Along with the web services architecture, it is a lot easier to manage your security with that.

And that is it. Thank you very much for the opportunity to speak with you.

DR. ROTHSTEIN: Thank you very much.

And, now, the floor is open for questions from my colleagues.

Well, while they are contemplating, I have one question for Dr. Garber to begin with, and that is in your testimony, you said that an opt-in approach is infeasible because you would have to get from a million doctors and that sort of thing, correct?

DR. GARBER: Difficult.

DR. ROTHSTEIN: Okay. It would be very difficult and expensive and time consuming and so forth.

Why couldn’t you get a single opt-in for each RHIO, and so all you would need is one opt-in, if you had 10 doctors, and as soon as you got one, you could fill up the RHIO form and that would serve all of your doctors?

DR. GARBER: To some degree, that is possible, but then when you go to your next physician, how does that physician know if you have opted in yet? So while they may not have to do the consent at each location, they need to verify it.

So, in other words, there may still be some work. It depends on whether you are saying, Okay. Go to the RHIO and talk to them, as opposed to each physician’s office being responsible for, Okay. I can do the single consent for everyone, which is probably how you would do it, but then when you go to other offices, they presumably would want to check to make sure that it has been taken care of. So it takes less time, but it still has to be done all over the place.

DR. ROTHSTEIN: But it would only have to be done once, and the patient wouldn’t have to do anything. So when you check in they would press some keys and verify that they were a RHIO member.

DR. GARBER: Right. By pressing the keys. You are right. It would be less than a minute per person, and we actually - You know, while we are going to try to do the opt-out approach, we are prepared to do an opt-in approach, if it turns out that is the public consensus.

DR. ROTHSTEIN: Okay. Thank you.

Dr. Cohn.

DR. COHN: Yes, I just wanted to explore the issue with probably all three of you, just sort of a - I certainly don’t know that I have the answer to how things should work across states, but I was sort of taken - and you may have listened to the Canada discussions, where they were sort of primarily focused on within their provinces, and then sort of figuring, Well, if you went to another province, you would have to sign at that point an authorization.

Now, I am seeing in my own mind - realizing that there is actually a pretty wide variation in state laws relating to privacy, and there was a reason why the HIPAA Privacy Rule was a floor, not a ceiling. I also am probably one of the survivors the last time we went through HIPAA privacy, and I know that these conversations are typically not very easy, and they certainly aren’t very rapid, generally, because it really does sort of open up a lot of societal-value discussions, many of which have been handled by the state.

So I guess, as I think about all this one, let me just ask, I mean, is a model - and tell me the down sides here. I mean, is a possible model that states have a lot of the responsibility for figuring out the privacy within their states and that there is a - somehow a different mechanism a la patient-specific decision making as they move to go to another state or whatever in those cases where they need to get healthcare? Is there a major down side to that? Can you help me?

DR. GARBER: We are in central Massachusetts, kind of right in the middle there, in the Worcester area, and I have a bunch of patients who live in Connecticut who come to see me. Now, I am not even close to the border with the state, and the reality is that people who - there are tons of people who get their healthcare in Boston who live in New Hampshire. So if people just stayed in their state to get their care and where they lived, you know, that would be fine, but people - there is a lot of healthcare that takes place across borders, you know, getting in both places, and I don’t know what percentage that is. Maybe it is - you know - five percent of the population, but there is still a lot of people who get healthcare across borders, and that could be problematic.

DR. ROOT: So your question was would it work to allow the patients to control the access? Was that your -

DR. COHN: I guess I was just wondering if there could be a somewhat different way that was cross state versus interstate, and I was just trying to explore that to see if it held any water. Pardon the expression.

DR. ROOT: You know, the whole sort of emerging business model of a patient-centric record, which will probably be like the conversation about privacy - very long and slow - but the idea that the patient somehow subscribes to a service and that physicians feed that through some kind of secure thing, you know, maybe down the road, maybe that is a possibility because then it is the patient actually sharing the information. It is not the responsibility of the physician or the hospital or the payer. It is the patient that controls that information, and when we talk about it, we don’t see anything right on the horizon right now to enable that thing, but that is about the only real suggestion that we have heard that sounds at all pragmatic, unless you are going to try to reform the privacy laws and create a floor and a ceiling, which we acknowledge would be extremely difficult to do.

DR. LEWIS: Just wanted to make a quick comment with respect to both of your questions.

First, the sharing agreement that we negotiated among the 10 clinics works very much the way you describe. So that if a patient agrees to have their data shared when they visit any one clinic, then that pops up on the screen should they appear at one of the other clinics, as well as the sort of inverse notification that if they go to one of the other clinics and they have not shared a sharing agreement it notifies that clinic and encourages them to talk with the patient and obtain one for the patient’s benefit, as Dr. Garber described.

I think the possibility of negotiating suitable privacy-protection agreements across jurisdictions is certainly there. We did it with D.C. and Maryland, and we expect to be able to do it with the clinic that will be joining the group from Northern Virginia, but each time is a sort of new experiment in a new component, and my final thought isn’t intended to be a critique of the legal profession, but what we encountered in the process was an interesting one. My background was in mathematics before it was in medicine. So I am totally out to lunch when it comes to legal issues, but our first deed was to frame it as a collaboration not an adversarial proceeding. We didn’t want - we wanted the clinics - we wanted new clinics to be able to join without having to renegotiate the entire set of agreements and without having to have everyone resign all the contracts and so forth.

So the first part of the activity and one that others have come after us - was setting a framework of collegiality and collaboration in the interests of helping achieve the goal of sharing, rather than protecting one organization vis-a-vis a different one.

MR. HOUSTON: I just had a short comment back to your original question about the opt-in versus opt-out, and I remember when John Fanning(?) was still working with this committee. I remember him circulating an article from - I think it was a Canadian publication. It was related to research, but I think it’s very relevant, which was that while most patients would opt into a research registry, they want to be asked. So it’s - this whole concept of - and most people will say yes, but they like the courtesy of being asked whether they want to be part of it, and I think that is sort of - you know - back to the point of opt-in versus opt-out. I think there is still a sensitivity regarding that, and I think that is one of the tings that be interesting to look back after your experiences in opt-in versus opt-out and find out what you end up with, because of those types of patient sensitivities.

DR. GARBER: That is part of our evaluation with the grant is to see whether that approach was successful in terms of getting it past the public, and we may find that it is not. That’s why we’ve got our bases covered.

DR. ROTHSTEIN: You don’t mean getting it past the public. You mean -

MR. HOUSTON: Public scrutiny.

DR. ROTHSTEIN: - generating public enthusiasm for your program.

DR. GARBER: Well, as we have talked about is it has to do with building an appropriate trust, and whether it takes - opt-in is the way to do that or whether we can do that through education -

MR. HOUSTON: You might want to try to - I wish I could find - have the article off - right off my fingertips, but you might want to do Google and see if you could find it, because I thought it was an interesting article, just simply - and, again, it was sensitivities of patient subjects and research in Canada, but -

SPEAKER: I’ll just call John.

MR. HOUSTON: Yes.

DR. ROOT: In Utah, we have the Utah Immunization Registry, which has been in its place for about - I don’t know - six or seven years now, and it started out with an opt-in, and that became extremely problematic, just to administer, partly because the patient - the database was focused on children. So you might have one parent who opts the kid in and then the next parent opts the kid out, and it just got insane. So they finally went to a straight opt-out approach, just because the administration of it was just impossible, just as a little pragmatic note.

DR. TANG: Jan, just a little comment on your suggestion that we have these PHRs as a way of - you know - somebody else that would operate a PHR and then subscribe to it. Ironically, those kinds of third-party PHRs are not covered by HIPAA at all.

DR. ROOT: Yes, I know.

DR. TANG: So, in actuality, the patient would have the least amount of protection and guidance.

The question I had for you is did I get you correctly that Utah - essentially, the Department of Health maintains or at least owns - I think you operate the central database for the administrative data you have been sharing?

DR. ROOT: The Utah Department of Health has the legislative right to collect clinical information about patients in Utah. One of their sources of data are claims data, which we ship to them, if the provider opts to do that as a way to ease their reporting burden. Most of it - you know - inpatient discharge database, sort of your standard kind of stuff.

DR. TANG: So - and it sounds like as you transition to clinical - and that is a new piece of information that you have a statutory permission to accumulate -

DR. ROOT: Not me, but the Department of Health.

DR. TANG: Yes, the Department of Health to accumulate personally-identifiable health information for this on behalf of the state, and that went okay? When was this passed and what was the rationale?

DR. ROOT: Let’s see. It was passed, I believe, about 1990. I believe it was getting off the ground in ‘91. The rationale was to improve the quality and care of Utah citizens and reduce the costs. It is still alive, if that is any testament to its ability to survive and to be functional, and they are expanding. They started with inpatient hospital discharge database. They have now expanded to include ambulatory-care centers and one other kind of center that I’m not focusing on, and then they have a new project now to use prescription information that they are getting from payers as proxy measures for chronic conditions. So if you have some kind of asthma medicine, then you probably have asthma, those sorts of things, and to look at rates in the hospitals of these chronic conditions and try to correlate that with this proxy measure of how well are you managing this condition.

DR. TANG: And isn’t there a big genealogy project within Utah, and is that -

DR. ROOT: Yes, there is. There’s the Mormon Church’s genealogical records. It’s actually -

DR. TANG: It’s not state related.

DR. ROOT: It is now - part of it is housed up at the University of Utah and has been merged with a large number of vital records - births and deaths. I think they have somewhere in the neighborhood of 3.4 million people in it. It is an extraordinarily clean database, and it is largely genealogically oriented, yes.

DR. TANG: So that is one approach is to legislate it into - (laughter) - existence.

DR. HARDING: Just a couple of clarification questions.

A VAN, you mentioned, just passes through information from - you don’t retain it for any period of time? There’s no backup? Once it’s through it’s through and you don’t have any way to check to see if you got the right stuff? I guess that is only in another kind of entity that would do that, not a VAN, but the clearinghouse.

DR. ROOT: If the content was correct or not? That is what clearinghouses can be contracted to do, to edit your dat, check to make sure it is consistent.

DR. HARDING: So you don’t keep it for two weeks in order to - in case there’s a -

DR. ROOT: No, unfortunately, as several members have found, we don’t keep data, and if you lose it, we can’t help them.

DR. HARDING: Okay. The other thing I was asking, you are dealing with the uninsured.

DR. LEWIS: Yes, that’s right.

DR. HARDING: A great deal, anyway, the majority. What do you think - is there a clear difference between uninsured about the privacy and the insured?

DR. LEWIS: I think they’re - initially, for some of the reasons I describe, they are much more hesitant to share data, although what we find when they talk with - when we talk with them carefully and when they begin to build a trust relationship with the clinic that they then see the benefits of sharing that data, because they are much more likely to have multiple providers, end up in an emergency room without access to their records. So once we go through that with them, it is kind of like the research question. If you are asked to participate in research, then you probably will. That certainly was my experience at NIH, in any case, but, interestingly enough, the data that they don’t want shared has to do with country of origin and Social Security number.

DR. HARDING: Well, yes, if you get into illegal aliens and all, I can understand, but just plain uninsured, it is counter-intuitive, it seems like. It seems like they have less to lose by - so to speak - by having information out on the internet or wherever, and it just doesn’t quite - it doesn’t quite seem intuitive to me, what you said, but -

DR. ROTHSTEIN: Except there are some studies that show that they are worried about ever getting health insurance.

DR. LEWIS: It is not necessarily a rational process. That is one of the things that we discovered in working with it. For some parts of the population, it is simply that they view themselves as having been experimented on in the past and so they are suspicious of any kind of data-acquisition process.

In others, it is much more concrete. They are afraid that if their disease gets back to their employer, they’ll lose their job, and for these populations, there is generally a labor excess, not a labor shortage, so that loss of job is - it may or may not be a real fear. It is a little hard to tell.

When we use community workers, people who are - with whom they are comfortable, to describe the benefits of the data sharing, then we don’t have a lot of trouble getting - it depends on how you define trouble. We eventually reach where we would like to reach, which is that they trust us to be good stewards of their data and to use it appropriately, but it is a longer process, but not necessarily - from our point of view, not necessarily a bad one, because it brings with it ultimate trust in the health system and the benefits that they would receive from it.

DR. HARDING: And the final part of my question is how - you brought up the issue of education several times. How are we going to educate the uninsured as opposed to the insured? Are there special things that we are going to have to do for education sake, other than a trust relationship that takes a while?

DR. LEWIS: That is a hard question to answer, because it is partly - I think partly it is cultural and sociologic and partly it is - in the sense -

DR. HARDING: We haven’t been able to educate anybody real well, I mean a big group. So I just wondered if there was any certain -

DR. LEWIS: But, as an example, the Margle(?) Foundation likes to show this person falling off a ladder and saying, You have - you know - three milliseconds to remember your entire medical history. I think that is not quite the right analogy, even for most of us. I mean, what we have found, for example, is that when these patients end up in the emergency department, that is not the best place to - I mean, they may sign a consent form, but it is not the place to build a trust, and it is not the place to help them see the benefits of data sharing.

But I think part of it is acknowledging - I mean, there’s a general risk-reward calculus, if you - People who look at the things Americans worry about find that we all worry about things with the lowest probability of happening, if the consequences of them are catastrophic. So I think there is a certain sociology where the uninsured and the insured are identical.

But we are really working at three levels. One is building trust within the safety net, an individual clinic. The second is trust across the safety-net-clinic environments, and the third is linking that safety-net environment to mainstream healthcare, and to the extent that -

So, so far, education has been our best tool, some of it quite passive, simply having - and, therefore, less costly in a way - having a receptive and a comfortable environment.

If you look at the clinics - We have several Hispanic-oriented clinics and African-American clinics run by local churches; an Islamic clinic; a Pan-Asian clinic, run by the Chinese Cultural Society, and, there, the trust comes simply as a - to get the analogy backwards, guilt-by-association phenomenon. They trust the individuals in the clinics and they, therefore, are comfortable with the data sharing, and it begins to bubble up from the bottom, as opposed to an advertising campaign that says, share your data or you might die.

So I am fairly optimistic about the process, if it happens in a community level with the right connections, and if it happens there, then they trust the emergency departments in the hospital and then it flows upward in a way that I think benefits everyone.

DR. TANG: Just a followup question. It is a little ironic that, for the uninsured, at least when they are not undocumented aliens, non-residents, it seems like you would have less risk of sharing it with people who you are worried about, like the insurers or the employers, since, if you are uninsured, you are paying by cash and it shouldn’t go anywhere.

SPEAKER: Well, you’re not - no.

DR. TANG: No?

SPEAKER: You may be getting free care.

DR. TANG: But then it doesn’t go - It is not flowing out to the payer or the employer.

DR. LEWIS: The employers often are connected to it in interesting ways. Many of the small businesses in the county can’t afford insurance and they actually send their employees to the free clinics. They have lists of the free clinics and they say, Go to this one, and it is an interesting - I mean, in the grander scheme of how do you manage, which is, fortunately, not my purview and I guess maybe not something you guys can avoid also, but the dynamics of insurance and uninsured actually have very odd ramifications that are not - again, as I say, not entirely logical.

But getting back to the question of - in the UK and Canada, since you are assured of healthcare, lots of concerns drop out of that equation, irrational as well as rational concerns.

MS. WATTENBERG: Dr. Garber, coming from SAMSA(?), we do substance abuse and mental health. That is our constituency, and I am not a technology person, but I am always on the hunt for technology that will help patients who have substance-abuse and mental-health data, helping them both participate in national health information networks and also protecting the data to the level that it needs to be protected, and you talked about - and here is where I sound like I really don’t understand anything, because I don’t. You were talking about the ability for software that monitors adverse reactions for medicines that - you know - can remain invisible to the eye for somebody accessing the record, but, in the background, it is still doing whatever it needs to do to monitor the reaction.

Is that common in software? Is it easy? Is it -

DR. GARBER: Well, I should tell you where the status of our project, so - just as background. So we have a proof-of-concept that works. So we have shown that the technology works. We have these knowledge modules called RHINOS(?), and our technologist - I don’t remember what it stands for. He is the one that came up with these, but so we have shown that we can do a distributed federated model for the clinical data and for the master-person index with probabilistic matching, and that we can put decision support on top of the network, and we are in the process of making this a production system that we can actually move real patient data in and a million patient demographics in and make sure that the system still works. So, you know, we have another year ahead of us before we actually are truly live, but the concept is not that difficult and it is something that I am not sure if anyone else is doing it, but it was fairly easy to do.

The filter is just saying that we are not going to display or transmit into someone’s electronic health record certain pieces of information if we have decided that we can’t show, based on this list, the proic(?)-acid levels, because that just happens to be one of the medications. You know, it is a seizure medication, but it is considered protected, or, you know, let’s use that as an example.

Now, the network will transmit a new prescription for Depico(?), valproc(?) acid, and when the network sees that a new prescription has been sent or there’s been a new - from the PBM, there has been a new charge for this medication, the network monitors, to make sure that a followup level has been done at some point, at one of the labs that are connected, and regardless of the fact that no one can see that this medication has been prescribed, the network looks for - in temporally, for a drug level to have been done, and if it hasn’t been done, the prescriber is alerted, whether it’s - it will be - we have fax, email, alpha page. We have various different mechanisms to accomplish that. They are alerted that they have done something that needs followup.

Now, it turns out, of course, they are the ones that can actually see it, but no one else could have seen it. There are analogous kinds of things like that where they may have written a prescription that interacts with MAO inhibitor that the patient is on and the network sees, the next day, that they are either - right now it is probably going to be through the PBM - sees that there had been a charge for that medication, knows that there had prior been a charge for MAO inhibitor, knows that there is a drug interaction and alerts the doc the next day. So it is not real time, but it is better than never to learn of possible interactions. So that is how we are doing that.

DR. ROTHSTEIN: Well, thank you very much, all three of you. It was very interesting, and we appreciate your testimony and also your colloquy.

Let me tell everyone the rest of the schedule for today.

We will be taking a break now until four o’clock, and I would ask you to return before four, because, at four o’clock we will have our call from Australia testifying on Australian health information systems, and it is 6:00 a.m. in Australia and if we don’t call them on time, they are going to hit the snooze bar - (laughter) - and we are going to lose them. So I would ask you to be prepared to begin promptly at four o’clock. Thank you.

(3:35 p.m.)

* * *

(4:03 p.m.)

Agenda Item: Australian Health Information Systems

DR. ROTHSTEIN: Thank you very much for getting up at such an ungodly hour to speak with us.

DR. RICHARDS: It is my pleasure.

DR. ROTHSTEIN: As I guess you have been told, we are conducting hearings to learn about many things related to health-information technology, including hearing from international health systems to try to find out where they are relative to our preparations for protecting privacy and confidentiality in electronic health information systems, and so anything that you could share with us, we would greatly appreciate.

DR. RICHARDS: It is a pleasure to participate. Thank you for the invitation.

DR. ROTHSTEIN: So do you have a prepared statement or something that you want to tell us about where Australia is on this or would you just prefer to respond to questions?

DR. RICHARDS: I’m happy to respond to questions, and I do not have a prepared statement, but just some introductory comments.

Australian Ministers for Health commissioned an Electronic Health Records Task Force in 1999.

SPEAKER: Excuse me. Just a moment, please - I’m not getting an answer for Janine Ward.

SPEAKER: Okay. Thank you.

DR. ROTHSTEIN: Okay. Thank you very much.

SPEAKER: Okay. Thanks. I’ll continue to try, if you want me to.

SPEAKER: Yes, please.

SPEAKER: Yes.

SPEAKER: Want me to continue to try her?

DR. ROTHSTEIN: Yes, please.

SPEAKER: Okay.

DR. ROTHSTEIN: Sorry, Dr. Richards. We are trying to get Jeanine Ward as well, but please continue.

DR. RICHARDS: Thank you.

As I mentioned, our Electronic Records Task Force was established in 1999 to advise Australian Ministers to Health on whether or not electronic health records were a good idea and whether or not Australia, an Australian government should start to support a formal process to develop those - a system of electronic health records.

That task force reported in 2000 and strongly recommended that Australia do proceed down the path of developing electronic health records, and a project was commenced, called Health Connect.

Australia is a federation of states, and we have a national government, and eight state or territory governments. Under our Australian Constitution, health care is a responsibility of the state and territory governments and the national government does not have direct commonwealth powers in relation to health, but the commonwealth government does have responsibility for sort of national coordination of activities, and so its taxation payers and so its funding payers has, over the time of Australia’s federation, increasingly plays an important role in developing national approaches to healthcare.

Each state and territory jurisdiction is responsible for the provision of public-hospital services and many community-health services. Most primary-care services and community-based specialist services in health in Australia are delivered through the private sector, and most of those services are subsidized by a national health insurance, universal health-insurance system called Medicare.

The provision of health services, therefore, occurs in the environment -

SPEAKER: Excuse me. Jeanine Ward is joining.

MS. WARD: Hello.

DR. ROTHSTEIN: Hello, Ms. Ward. This is Mark Rothstein, again, in Washington, D.C. Thank you very much for joining us, and your colleague, Dr. Brian Richards, is on and he was telling us about the general framework for electronic health in Australia.

MS. WARD: Um-hum.

DR. RICHARDS: Good morning.

MS. WARD: Good morning.

DR. RICHARDS: So the Australian Health Services - health services in Australia are performed in an environment in which both state and territory and Australian government’s national commonwealth government legal frameworks apply, and privacy, therefore - issues related to privacy are managed both under the Privacy Act, which is a commonwealth government act, and also different states and territories also have a variety of pieces of legislation relating to the confidentiality and privacy of health records specifically.

The Australian Government has modified its Privacy Act to specifically encompass the provision of health services and a number of provisions of the Privacy Act apply specifically to - health information.

In developing the Health Connect, electronic health record system for Australia, certainly, all stakeholders are mindful that the issues of privacy and confidentiality of personal health information are central to public trust and public participation in the system.

At this stage, the Health Connect project has been - has just concluded a series of pilots and trials and field tests and is just now moving into a national implementation phase, which is starting on a state-by-state basis. So we are starting commencement of statewide electronic health records in a number of the smaller states and territories in Australia, building on national infrastructure, but the issue of privacy and confidentiality have been receiving some significant - attention in Australia in the last couple of months as the Health Connect projects go live, and so the level of public interest in privacy and confidentiality in the context of electronic health records is growing in Australia.

DR. ROTHSTEIN: Let me ask you, one of the issues that we have been exploring is the degree to which patients - individuals - have control over the contents of their health records, as well as the release and distribution of information in health records. How have you dealt with that issue?

DR. RICHARDS: Australia doesn’t have legislation that is directly analogous to the HIPAA legislation that exists in the U.S.

DR. ROTHSTEIN: That legislation is known all over the world. (Laughter).

DR. RICHARDS: It certainly is. Not least of which is the impact that that legislation has had on the development of software for health services. Obviously, any company that aspires to an international market for its healthcare products needs to comply with the HIPAA legislation, and, to the extent that the HIPAA legislation does not apply in Australia that can sometimes be a problem or us in purchasing software to meet our needs.

The issue of the ownership and access to health records in Australia is a complex one. There was a legal case that went to the Australian high court, which established some common law precedent on the ownership and rights of access to health records, which is referred to as the Breen(?) and Williams Case, in which a patient was seeking access to their medical records held by a specialist, and the high court of Australia found that ownership of the health record rested with the medical practitioner, not with the patient, and that the patient did not have a common-law right to access information held about that patient by that medical practitioner.

That ruling provoked significant reaction from - within the Australian community, which has led a number of the states and territories to pass legislation specifically concerning a right of access to health information held by medical practitioners to patients, but that legislative framework is not consistent across the different states and territories of Australia, although it is now largely accepted within the medical profession that patients do have a right to view and understand and access information held about them in their record, although the degree to which patients have the right to correct information held in a medical record which they believe to be incorrect varies across the different Australian jurisdictions.

DR. ROTHSTEIN: And what about any right to delete information that they think is sensitive and perhaps not medically relevant anymore, could be old information?

DR. RICHARDS: Again, the exact situation differs across different Australian jurisdictions, but, in general, my understanding is that a patient does not have a right to seek material deleted, but does have a right to seek that material annotated, in some jurisdictions, to indicate that they believe that this material is incorrect and potentially prejudicial.

DR. ROTHSTEIN: And as you shift over to electronic records, is there greater concern about privacy and confidentiality among the public or haven’t you seen that yet?

DR. RICHARDS: The development of electronic health records has certainly contributed to the public debate and raised the issue of privacy and confidentiality of health records generally within the Australian community. Clearly, technologies can either be privacy neutral or they can be privacy enhancing or, indeed, they can damage and undermine a person’s privacy.

Obviously, electronic and internet technologies can allow a sort of wide dissemination of information that was previously fairly inaccessible on a paper record, and so it is generally accepted that it is incumbent on anyone developing electronic health records to ensure that the technology is utilized to, if anything, enhance the privacy of the individual, rather than, in any way, undermine that.

DR. ROTHSTEIN: Ms. Ward, would you care to comment?

MS. WARD: Yes, I think that is correct. There has been a greater concern with electronic health records. The public is concerned - for, you know, greater exchange of information, and whether privacy can be maintained in that context.

DR. RICHARDS: In the development of Health Connect, the way - and recognizing that a national system of electronic health records in Australia needs to operate within a legal framework of multiple state and territory legislation as well as the Australian common-law legislation, the development of an electronic health record that is share-able and accessible by a range of providers and, indeed, the consumer themselves, the development of those records has largely revolved around the concept of informed consent. There is some ongoing debate in Australia as to whether, in certain jurisdictions, it is acceptable for an electronic health record to be developed on all patients in that jurisdiction with individuals having the right to opt out of having such a record developed or whether, in fact, there should be no electronic record created unless the individual patient has gone through a specific informed-consent process to opt into the development of such a record.

In these discussions, we certainly are mindful of some international experience in the issue of whether it should be opt-in or opt-out, and that debate is not yet resolved in Australia, but there is a universal agreement that there should be a process of informed consent, so the patients should understand the uses to which information held about them in an electronic health record can be put and the degree to which they have authority to control access to that health information.

Now, the common law and legislative frameworks that apply to the ownership of the record that I discussed before obviously also have an impact. If the common-law situation in Australia prevails, in that medical practitioners have an inherent right to own the record that they create, the situation in which a shared electronic health summary record is developed to which information is contributed by multiple practitioners creates some interesting issues in relation to ownership of the record and associated responsibilities for its maintenance.

One of the ways in which we are looking to manage that situation is when a provider does supply information to a shared electronic health record about their patient to which other healthcare providers are also contributing, we are exploring, currently, the issues of providers giving a license to use, in effect, a copyright license to the use by other practitioners of information or intellectual property which they have contributed.

DR. ROTHSTEIN: Is there any effort being undertaken to treat certain sensitive health information separately or at a higher standard, such as psychiatric records or HIV records and the like?

DR. RICHARDS: At this stage, the experience of the Health Connect trial and pilots and field tests has been to treat all health information as potentially sensitive and to create levels of access control and levels of consent and authorization for access, audit trails and the like, as applying to all information as if it were that degree of sensitivity.

Clearly, patients who have substantial concerns about potential bridges of privacy and the impact on them of the broader availability of some sensitive information, those patients are more likely to withdraw or not provide consent for participation, although, it is recognized in many cases that participation in such records, access control is managed appropriately, does, in fact, confer a benefit on the individual.

DR. ROTHSTEIN: Patients who are concerned about loss of privacy, do you think they are mostly concerned about the tangible loss of benefits that might accrue? In other words, are they worried about losing a job or not getting life insurance or something like that or are they just concerned about the embarrassment or stigmatization that might occur from someone learning sensitive medical information?

DR. RICHARDS: I think it is both. I think that, certainly, individuals have justifiable concerns about a range of consequences of a potential breech of the confidentiality of their health information.

DR. ROTHSTEIN: Okay. I would like to recognize one of my colleagues who has a question for you, John Houston. John.

MR. HOUSTON: Yes, thank you.

A quick question about - just to follow up on that last question. Are there similar laws in Australia regarding non-discrimination for medical conditions or disabilities or things of that sort?

DR. RICHARDS: Yes, there are, and Ms. Ward may wish to comment on that.

MS. WARD: Yes, there are laws dealing with discrimination and preventing discrimination on the basis of medical conditions.

DR. ROTHSTEIN: And a question from Mr. Harry Reynolds.

MR. REYNOLDS: With so much - appears to be so many degrees of - levels of health information sensitivity and the informed consent and the opt-in, opt-out, are you looking at things like e-prescribing? And if so many people have a right to opt out, how can things like e-prescribing and some of the other protections about knowing all the health information, how do you see yourself balancing those?

DR. RICHARDS: The way in which we are progressing these issues in the jurisdictions in which we are moving into in the implementation phase is to differentiate between the electronic storage of information at the point of care - that is, the electronic clinical record maintained within the precincts of the individual medical practitioner providing the service - and a shared electronic health summary record, which is in a data repository which is accessible by the web by - potentially by a wide range of healthcare providers, and in between those extremes is the point-to-point transfer of structured, secure clinical messages between providers directly involved in providing the care to the patient, most of the issue related to opt-in and opt-out and consent relate to the development of a shared summary record in a data repository to which potentially a significant number of providers will not only contribute but be able to access information.

The decision of an individual practitioner or an individual service provider to move from a paper-based record to an electronic record that is not accessible beyond the practice in which the record was created is generally not regarded within the community as being a decision that a patient has a right to consent, though, if, for example, a physician decides to stop recording their clinical notes on paper, but records them in an electronic system within their practice, it is generally regarded that the patient doesn’t have a right to say, No, I want you to keep my records still on pieces of paper.

I guess there is a common law - the balance of the fiduciary duties of the provider to the patient that certainly medical professionals in Australia, as elsewhere, have an ethical and common-law duty of confidentiality to the patient, and that is to retain - ensure the confidentiality of information that passes in confidence between the patient and the provider is respected and preserved.

However, there is an increasing recognition in both common law, but also in certain jurisdictions in Australia in statute that the provider has an ethical and common-law responsibility to maintain accurate records about that patient and to use that information to make appropriate clinical decisions.

For example, a medical practitioner records an allergy that a patient has towards a particular drug and then subsequently prescribes that drug to the patient, if they haven’t maintained their records in such a way as to ensure that information is readily accessible, there is certainly a cause for action by the patient.

Once the information leaves the practitioner to whom the patient has divulged information - say, if it is sent as a referral message to another physician or sent as a prescription to a pharmacist, then, clearly, the duty of confidentiality also applies, but the health system also has an interest in how those messages are managed.

I mentioned that in Australia we have a universal health insurance called Medicare, which is funded through taxation revenues and to which all Australian residents are entitled to participate, and we also have a national pharmaceutical subsidy system, called the Pharmaceutical Benefits - These large national health insurance programs - health benefits programs and a number of other national health programs are administered by a national organization called the Health Insurance Commission.

The Health Insurance Act which oversees Medicare requires for a number of things to be done in order for a service to be able to be claimed - for a benefit to be claimed under Medicare.

For example, a specialist consultation is - the financial rebate for a specialist consultation is significantly higher than the Medicare rebate for a consultation with a family physician, the general practitioner, but that higher level of rebate, he is only payable where a family practitioner has referred a patient to a specialist for care, and that referral must be signed by the individual medical practitioner.

We have in Australia an Electronic Transactions Act, which permits an electronic document to have the same legal standing as a paper document, and to determine whether or not a practitioner has signed a referral, the Health Insurance Commission has introduced a system - the structure of healthcare, and so all healthcare providers who operate under the Medicare banner are able to receive, without charge, a digital certificate, either a personal digital certificate, which equates to an individual signature, or a practice or a location certificate, which equates to a - like a letterhead on a letter that provides the non-repudiation and certainty that information is from a particular healthcare location.

These digital certificates are increasingly widely used, not only for transactions between healthcare providers and the Health Insurance Commission, for example, submitting claims for Medicare benefits or providing - or signing referrals between practitioners, but also, increasingly, being used between practitioners for regular patient care, point-to-point clinical communications, and so the public infrastructure provides encryption - highly-secure encryption for health information flowing out of the internet between - in an electronic form between providers. It provides - for the confidentiality of that information to be preserved - preserve the message integrity, and, importantly, for claims information and for some of the legal frameworks, it provides a way of digitally signing that information in a way that is non-repudiable.

DR. ROTHSTEIN: Thank you.

We have just one last question, then we’ll let you go have breakfast, and that question is I wonder if you could give us a bit more detail on Health Connect, and that is is there a sort of a central repository in each state and territory or is there a central system of interconnectedness of linkage with the healthcare providers or are there multiple systems within each state and territory?

DR. RICHARDS: At this stage, Health Connect has been rolled out as a - in a preliminary pilot or an early implementation phase. There has been a single repository in each jurisdiction for the storage of health records.

The current recommendation, in terms of the national architecture, is for there to be a single national repository of those shared electronic health record summary data sets for individual patients, and it is expected that those data sets in that repository would be managed by the Health Insurance Commission. HIC has a highly-secure internet gateway that is accredited by Australia’s Defense Signals Directorate and is widely trusted as an organization that handles security of electronic information extremely well, but the final decision on those architectural questions is still to be made, and it may be that, in fact, we end up with a federated system of records, and so patients could have some - potentially some choice as to where their record is maintained.

The current thinking is that an individual patient should only have their record maintained in one place, but they may have a choice in what that place is with the Health Insurance Commission being the default repository if the patient does not elect to have their record stored by, for example, their private health insurer, but those architectural issues are still being assessed by an organization recently established in Australia to look at standards for electronic health - called the National A-Health Transition Authority.

DR. ROTHSTEIN: Okay. And, finally, I guarantee this is the last question.

MS. GREENBERG: It’s a short one.

DR. ROTHSTEIN: Ms. Marjorie Greenberg has a question for you.

MS. GREENBERG: Thank you for participating. We appreciate it.

I just wondered how patients are uniquely identified in your system or are they or what is your process?

DR. RICHARDS: At this stage of the development of Health Connect in which it is largely original implementation of electronic health records and the data are held within that region of Australia. We do, for each of those early implementation phases, issue an identifying number for the purposes of the Health Connect trial.

Again, the National Electronic Health Task Transition Authority, NEHTA, which is the body I just mentioned, has been - to define the standards, in the final stages of making recommendations to - and this is in relation to a national health identifier, and the current draft proposal is for, again, the Health Insurance Commission to manage a system of national health identifiers.

MS. GREENBERG: Thank you.

DR. ROTHSTEIN: And, Ms. Ward, any final words from you?

MS. WARD: No, I have nothing else to add. Thank you.

MS. BERNSTEIN: This is Maya Bernstein. I sort of found you - (laughter) - identified you, and I am very glad to have you participating.

I just wanted to know if those recommendations will be available to the public when they are finished?

DR. RICHARDS: Yes, I’m sure they will be. I’ll just draw your attention to a couple of websites from which you could probably not only get - information now -

MS. BERNSTEIN: Thank you.

DR. RICHARDS: - but you could monitor for developments over the next few months.

The first is the Health Connect website, which is at www.healthconnect.gov.au. We have, just last week, published a legal-issues report on Health Connect which is quite an extensive piece of work which we commissioned from one of Australia’s leading law firms to look at the legal issues in relation to electronic health records, and I would commend that report to your committee.

There is a summary report, summarizing the key findings and recommendations, and there is also a much more detailed report available on that website.

That website also has information on the implementation strategy for Health Connect and some evaluation materials on the range of pilots, trials and field tests of the electronic health records in Australia.

The other website that I would draw to your attention is the website of the National E-Health Transition Authority, which is at www.NEHTA.gov.au, and that will have information on the standards and architectures for electronic health record systems in Australia moving forward.

DR. ROTHSTEIN: Well, once again, thank you very much for taking the time to speak with us, and it was very helpful, and best wishes to you as you go forward with your electronic health system.

DR. RICHARDS: Thank you very much for the invitation, and I am happy to be of assistance should any further questions arise.

DR. ROTHSTEIN: Thank you, and for those of you who are listening live on the internet, I just want to tell you about the schedule for the rest of our hearing.

We have had no requests for statements from the public.

The subcommittee is deferring its discussion session until tomorrow at 11:30, from 11:30 a.m. to 12:30.

And if there is no further business, we will be adjourning for today. We will resume promptly tomorrow morning at 9:00 a.m.

Thank you.

(Whereupon, the meeting was adjourned at 4:30 p.m.)

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Subcommittee on Privacy and Confidentiality

Hearings on Privacy and Health Information Technology

June 7, 2005

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091

TABLE OF CONTENTS

P R O C E E D I N G S (9:10 a.m.)