The materials available for download during the webinar I have posted below and the rough draft transcript of the meeting is below them.
Privacy and Security Policy Committee Member List:
Rough Draft Transcript:
Good morning and welcome, everybody to the privacy and security policy work group that is a work group of the HIT policy committee. Remember that this is being conducted in the public and the public will have opportunity the end of the meeting to make comments and, worker meetings, if you could remember to identify yourselves when speaking.
Rachel. For those of you that do not know, the Office of the national coordinator has established a policy whereby the work group meetings in addition to the policy committee and full standard committee meetings will be conducted open to the public. That does not mean that we could not if there was not made strong policy reason for that closing a meeting do so, but for the most part we will operate in our meetings with the public fully invited. They on the mute for most of the call but reserve the last 15 minutes of the call to open it up for public comment. Does anybody have any questions about that? Again, I think his and a welcomed the change and, personally, but does require us, it in Edition for it be easier for network group members to know who is speaking, it is important for get you to identify yourself so that all the people on the light know who you are. in, with that, we will move into the first item on the agenda, which is finalizing our workgroup charge. These are changes that originated with John Huston. There was one more addition of the word "collection" in the very end of the charge that was suggested by staff. Bank a lot of people were supportive of these changes when we circulated them by e-mail but given that not everyone had a chance to wait in, I wanted to spend time this morning making sure that everyone is comfortable with the wording and we can finalize it and move on to other business. Does anybody have any questions or comments or further suggestions?
This is Kathleen. Is it showing on the webinar? I do not think I got it.
It is on the annotated agenda. I will read it in. Make short-term and long-term recommendations to the health IT that will help build public trust in health information technology and electronic health Information Exchange. Specifically, the worker will seek to address the complex, privacy and security comments to the development of proposed policy, governance models and solutions and approaches that enhance privacy and security will also facilitating the approach recollection, access and use of health information to improve health outcomes.
Can I ask a question?
Sure.
In that list, the disclosure is not part of the best?
The term, Exchange, is used. To me, that includes disclosure.
I would just caution that the caution about that is the in the privacy principles and general principles in the literature too the terms of word "disclosure" is used and that one could exchange health information without using that information. For example, when it is in transit through the clearing house where they might look at the header but are not using or accessing the information. That would be my--
This is Paul. I agree. There is not lot of confusion about the word "access" use in the literature. It is easier to throw all three of them in.
I do not have a problem with that. Does anyone object to that in the workroom?
Can you repeat that?
It is towards the end of the charge. It goes with our development of, again, proposed policies and models and solutions and approaches that enhance privacy and security will also facilitating the approach recollection, access, use, disclosure and exchange of health information to improve health complex.
That is fine.
We have Gail on the bond, and now.
This is just from blue Cross. In the first sentence, it can we add where it would read it will help build public trust in health information, technology and electronic health Information Exchange and ensure the use to improve healthcare quality and efficiency? Part of what we do is to not only build the trust in it but facilitate the use.
Right. I do not have a problem with adding that. That is exactly why the specifically whined says that the solutions and approaches enhance privacy and security will also as facilitating the use.
This is Dixie. Can you read that?
If you could read it again, that would be great.
Instead of exchange in the first sentence, you would add on and ensure the use to improve healthcare quality and efficiency.
I do not believe that is the charge of this work group is to ensure the use.
This is Kathleen. Make it authorized the use?
This is Peter. I would agree. That exceeds the bounds of the workgroup.
If you put "enable" I would be okay with that.
What about facilitate?
That is the point. But of having the role of privacy and security safeguards is to get people comfortable with using it and think that is important to help facilitate. I am fine with facilitate and enable.
It would save facilitate the appropriate use to improve healthcare quality and efficiency.
[ OVERLAPPING SPEAKERS ].
[ Audio/Speaker not clear] application domain--
So," enabled."
I would be fine with that. This is Dixie.
This is John Blair. Is the statement up?
It was on your annotated agenda.
I will pull it up there. Remember looking market over the weekend. It does distinguish access, exchange and disclosure as separate?
Yes.
Okay.
[ OVERLAPPING SPEAKERS ].
It does not mention disclosure right now.
Is not, it does. We just approved that.
With the change, it does.
For those of us that were late, can you restate the sentence?
I also have my trusty sidekick taking some notes over here. To make short-term and long-term recommendations to the health IT--Policies and practices that will help build public trust in health information technology and electronic health information exchange and enable the appropriate use to improve healthcare quality and efficiency. Specifically, the worker will seek to address the complex privacy and security requirements for the development of proposed policies, governance models, solutions and approaches that enhance privacy and security while also facilitating the proper collection, access, use common disclosure and exchange of health information to improve health to comes.
Kathleen: The workload opprobrious," and I find ambivalence because I do not know what it means. Authorize seems to be what is allowed with the regulatory sense. Is there a reason for accusing "appropriate "?
The use of it is that appropriate has some sense that those people who have a need-Well a need to access that information or use it-anyone can be used authorized what is appropriate or not.
I just want-this is Deven. It is a charge, not a statute. The reason why I did not devote them lot of time to doing this is that I am not sure it is a Great use of our time to admit that on the details of this bank.
Based upon best this is John Huston-I would propose that we pass it and get on--
Deven: I throw that in the approach reverses not authorize the date. For a charge, Kathleen, I get where you are going, and John, I get your counter point. I think opprobrium it assumes all of those things.
I agree. I move that we accept it with the changes just made. This is Dixie.
I support that. It is Joyce.
I also, Gail.
I, too--Justine.
Does anyone have any strong objections to as moving forward as I just read it?
No.
Excellence. I apologize if I was Turner's. I heard from a lot of you after our initial call and we have never large group but is important to have a broad range of the stake holders represented and the more focused we can be, one, will advance us further forward in making some good recommendations and facilitate maximum participation. Again, I apologize if I was being to have because we have a group here that can make some progress on these complicated issues only do that if we can be focused.
This is Allison. I would like to remind all. To please turn down your. On your computer. That is what is causing the echo. Thank you.
Thank you, Alison. That is right. Let's move to the next agenda item . What we talked about on our last call was the nationwide privacy and security framework for electronic exchange of the individually identifiable health Information. For those of you not familiar with this document, this is a set of overarching principles taken from a number of different models of fair information practices that have been put forth both in the United States and abroad that was developed during the Bush administration by the Office of the national coordinator and released to the public in December of 2008, more towards the end of that year. People did not get them chance to read it before our first call. There have been some subsequent-there is some concurrent were going on by a separate, strategic planning work group, which involves creating a white paper that expresses some overarching principles in a number of key areas that include privacy and security, drive down to some more specific objectives and moves towards a strategic plan or time line for getting some of that work done this because that is a separate workgroup with some members on this work group also serving on that one. Nevertheless, it is a place where they are working with a-they want to work with a set of principles that then gets parsed into more specific objectives and strategic plans going forward. My hope is that we will continue to work together in a back and forth way on these objectives, more specific objectives and time lines get nailed down. I think is appropriate as the privacy and security were group that we do that. In the meantime, what to do with this nationwide from March, I want to propose something to the work group now, which is to discuss whether or not there are any key omissions in it, but otherwise not towards Met it. It is at the more principled level and to pass it on to the strategic planning work group to be incorporated as the overarching principles that would go into that white paper. I want to stop now and pause and allow Rachel to add any thoughts and open it up for some comments.
No, I just wanted to also, hopefully, to clarify for people that as the document is structured, there is a comments to this on page five is the first sentence after the bold heading that is the stated principle to. The information in the italics, and I am following this correctly, correct me if I am wrong, Deven or Judy, is the explanation that ONC prepared to explain the principles, themselves. The principles are the individual sentences that immediately follow each heading. Individual access, correction, openness and transparency, choice, etc..
That is right, Rachel. This is Deven.
Again, it essentially, ONC worked on this for about two years. Since we are a new work group, it is worth noting if there are any key omissions that we would want to see incorporated in here, but to try to avoid wordsmithing. That is not make radical that we might not recover from.
As the strategic planning committee, they will review that in the context of their work and money sent it back to us that in our discussion we think you might want to discuss item X that was not address in is or might need some elaborations because this might end up coming back to us after the strategic planning committee reviews.
This is Paul. My only comment about the documents because the document and framework are excellent and less things out very clearly but was written before the ARRA. As the result, it does not refer to ARRA and am wondering if that is a little bit of a problem, especially since the document says the patient should have the right to access to their electronic data, but ARRA already gives them that access.
Deven: That is exactly right back. What is interesting is that these are principles for which actually even before ARRA we have some law on. In some respects one can think of this as we actually already have some law in this area that provides some guarantee in more specific ways of how these principles get operational. Never the less, to the San there is somewhat in some areas and gaps in others when you set overarching principles, it can help guide you when making decisions down the road about what is the overarching approach that governs what we do? So, while it has not-I would argue that because it is at the principal level, it does not need to be updated and using your example, Paul, the HIPAA privacy role has always given peoplethe the right to a copy in the format they request. ARRA requires that you get it electronically if people require that and is some limitation on how much you can charge it the goods is not supposed to go into that level of detail. It is a level of them living document were the policies underneath might change, but the principles remain the same and the policies, in Act, are operational liesed.
In looking through all of the difference policies, there is nothing in here that when I read through this, I see that ARRA change that. Nothing--that are still to me, it equally applicable, even now.
Rachel: ARRA said provide specific implementation context and we will be discussing that momentarily in conjunction with the proposed rules. It does not fundamentally alter them.
Mary Ann: I think this is a very well written document and the principles are very nice. As we move forward, however, in implementing the principles, it will be important to keep research uses and disclosures in mind. HIPAA currently allows some disclosure, for example, for research without authorization. I raise that and do not know that we need to change anything in the document to address that, but know that we need to keep research uses and disclosure in mind moving forward. I also wanted to suggest a possible to seek to the charge. Unfortunately, I could not weigh in. My access was blocked but that has been changed, to include research in the charge and where I would like to propose it is the end of the charge where it says to improve health outcomes, including for Research.
I think-This is Deven. The only thing that gives me pause is I am opposed to using the one thing that improves outcome rather than other things because we need to keep abroad and if we are calling out that one thing, it opens the door of. 12 heard from other.
It is understood to improve the health of complex, I am fine with that but do not want it to get lost that research use get appropriate consideration.
Okay. You are okay with not specifically mentioning it but making sure as we shape our agenda going forward to not leave that out. I do not want to speak it is important.
Kathleen: I wanted to point out in the various statements of these principles there is inconsistency about whether we are talking about use of disclosure in a couple of places where stated and under safeguards it is access to use the disclosure but no collection. I think it would be helpful if the group consistently used the spectrum of the types of-I guess access-I did not know the exact term, specific types of submissions to you have collection access, use and disclosure cover consistently throughout the document wherever these principles are stated. I do not see any particular reason why it is one versus the other. For example--
I get when you are saying, Kathleen. Again, to avoid wordsmithing this, how about as we pass this along, we note that the full spectrum of all types of activities were upper plate under an appropriately recognized and the strategic framework workgroup might consider that. We will in terms of our own discussion about specific policy.
Dixie: The difference that caffeine is pointing out relates to date of versus information. You can access data without disclosing information if the data is incorrect it. I think if we were consistent in to access data and disclose information, we would handle the concerns that she has.
They are different rules that applied. Thank you for pointing back out. The other one, and I do not want to white paper--
But.
Action want an explanation. It says never to discriminate and appropriately. I am pondering what is inappropriate versus appropriate discrimination?
For example, Mary Ann's comment about research. You do a cohort search.
I am not sure if that is what was meant. Sect, from ONC, do you know what they were getting there--
Sarah, from Jim, do you know what they are getting at?
No in. I can try and talk to the project officer and find out.
That is a good question.
Some of this stuff-this is a living document. I am making some notes about the easy changes that we can think about.
Deven, I remember that Jody Daniel once mentioned to me that when the Security and privacy workshop and standard committee were looking over this, she mentioned that they, ONC, where in the process of updating it and recognize the need to be updated. Can you get from her the and the specific needs of for update that they already identified?
The latest that Jody said to me is that they are not necessarily updating this document, per se, but by putting this forward, this was the first step and the specific policies and Best practices to operational Is it was going to be more the focus, but we can confirm that. I did not get the sense that there was, necessarily, going to be further changes made to this document, per se. My view, and I said on the strategic planning work group is to the extent that there are some things, some key things we want to pass along to them and basically what we have been discussing this morning, as we say to think about this has you incorporate this or discuss it in the draft of the white paper that will form strategic plan going forward, I think that is all appropriate.
Gail: The one thing I would ask us all to look that is under safeguards when you talk about individually identifiable information should be protected with reasonable administrative safeguards to ensure the confidentiality. What is reasonable? I think that is where people are going to get very nervous is how you define reasonable. Where that leads you, and is it going to be truly protected?
I think that is right, Gail and one of the reasons why we need languid in printable form, and of verging reasonable form, property, those are pretty broad terms and it comes down to when to discuss specific policy.
Gail: I think we need to be very mindful of that. What is reasonable with that one person and an agenda and is not reasonable with another. If we determine things, we have to be cautious that we are making things that our policy that are developed to protect the information. As reasonable as possible, yet making sure there is the integrity of the data and privacy and security are absolute the essentials. That, to me, is the? Of the whole thing, that one work, right there.
[ LAUGHING ].
Dave: I agree. That same word is used liberally.
These are the overall content overarching state. I am not sure what you would replace that with. Again, there are a lot of factors that need to be considered and when you promulgate any policy, the is buzz words, while they make me nervous, too, they are more placeholders for the harder work that we will do, quite frankly, and in discussing what that means.
Dave: The issue of for setting a principle is if it is a minimal standard or expectation for get the highest level of performance. You can take the word "reasonable" out and make sure that these are policy and need to shade the grey, but the overall principle should be the high standard.
I agree with him. I am sorry that that I did not get your name. I am looking that the principles here. In every case you could take that word out of there and that would be the principal.
Right.
Paul: I wonder if it would help, Jan 11, to give context around the strategic planning process, would that be useful?
Sure. Go ahead, Paul.
Paul: This will be presented to the rest of the committee in a couple of days develop four themes. This is called for in the statute that ONC updated the Strategic Plan. There was a work group formed to provide advice on the HIT Policy to ONC. There were four themes that were developed to help shape the recommendations. One is meaningful use of health Information Technology. Two is policy and technical infrastructure. Three is policy and security and four is to create a batch-effective use of HIT. You recognize that this group's efforts, privacy and security occupied and one of the four themes. It is really major. The way that we have organized our work is to talk about the theme itself, to describe it, to talk about the principles and the strategic objectives and delved into the strategy. I think the suggestion that you have so far put forward is to use the previous framework, something like six sentences, as principals, sound really good to meet. As people have mentioned, and lot of work have gone into it and they describe the principals really well and what I think you are also talking about is how to determine what is reasonable. I would not give up the term "reasonable" because that gives the balance between what and where does the the information have to go to do all of those good things, Research, patient care, etc., and protect the individual confidentiality of identifiable health information and sometimes aggregate information. There as always a balance. There is a need for one side or the other. The concept is at the principal level. That might be put into context of you having principles but at the next level you will be discussing, even in this work group, are some of the objectives that you will pass on to the Strategic Planning workroom.
This is Peter. I would second those comments. The word "reasonable, makes people nervous but makes me comfortable as a provider. So, I am not opposed to this three people's arguments about why it should come out, but I believe that principle or reasonableness helps to protect both sides to arrive that better policy.
Thank you to both of you. Again, I would propose that we send these along. The more important discussions will have the particular is and specific policies are where we will make our most impact and figure out how to get these policies right so, in fact, we are facilitating or enabling the use of data for good benefit while the same time, protecting policy. A lot of people refer to that as a balance the coat that is a word that does not always make me comfortable. The notion of needing to have both to do right by patients is even reflected in our charge.
Judy: I have been on since the beginning, but they had me on mute and had to get them to put me on as a speaker. Collection use and [ indiscernible ] that is identifiable health information should be collected and disclosed only to the extent necessary to accomplish and can accomplish the specified purpose and never discriminate. From and Electronic disclosure point of view, I am not sure what that means.
It is a common fair information practices concept. Did not collect any more data than you need to fulfill a purpose for which you are permitted or makes sense that you are collecting the data. You are only supposed to use what you need is because some people have come to refer to this as green use of data, to borrow an environmental term. Do not collect more than you need. Do not disclose more than you need and also is reflected in minimum necessary standards. Does this get into the situation where you have the patient feeling that the orthopedist should not know about her depression drugs and they like they should because I can tell you if I prescribe the wrong thing. Is that this kind of thing?
It does not resolve that question at that level of detail, but instead, it is a data sets stewardship principle that says when you have health information, there are limits to how you can use it. It does not, specifically, resolve the question, Judy.
Judy: Are we going to resolve?
Not today. We will get there.
Thank you.
You're welcome. Again, these are just at the principle level. Hi will propose-understanding we have had some discussion about some things that I think we want to pass on to the strategic planning work group-I appreciate that people were good about not wordsmithing this too much, but I propose that we, with a couple of issues that we raised, being communicated, also, to the Strategic Planning workroom, to go ahead and move this over to them for consideration as the overarching principles that will guide for their work in the strategic plan on privacy and security. This is just on principle level, understanding it does not resolve all the details, and it should not, but just at a principle level. Do you have objections to that?
I would note that I would like a for discussion of the term "reasonable."
Are the right to propose that we pass that along with a full understanding that while for Some people, that is the comfort level, that the balance will be appropriately instruct for others. It makes people uncomfortable and what is reasonable in any given circumstance is what needs to be determined by more specific policies.
Also, you have at your disposal creating objectives. If the principle is reasonable and that is not defined or not precisely characterized, then back one of the objectives that either ONC or the policy committee, even, is to delve into that and say, how do we hear the balance of objectives and create a policy that reconciles all of the need. Clearly, [ indiscernible ], John Huston is the co-chair of the privacy and security committee has done lot of work on it and Deven's Group. There our a number of people that have commented on that and maybe get one of the objectives might be to look that those things as part of this preparation for new policy. Do you see what I am saying, Gail?
Yeah.
We have a principle and objectives can help sort out the term "reasonableness."
To the extent because this is Paul. To the extent that there-we have a strategic planning work group but to the extent that objective might be discussed on privacy and security, I know that I will want to bring those to you all for further discussion. In Pat, what we are doing should inform what they are doing. I think there are others that serve on both, this policy and security worker, in my view, should have an opportunity to shape what goes into that work planned.
Absolutely.
Deven: To get the discussion. Thank you, very much. We will move right back onto the next agenda item. Let me take a step back a minutes and set a framework here. One of the things that we discussed in our last call was a tentative work plan for get moving our work going forward. Rachel and I are still tinkering with that a little bit but actually think that's it in the interim was the release of the meaningful use proposed rule by the Center for Medicare and Medicaid services and the release of the interim final rule on certification criteria, but of which have sections on privacy and security that, I think, are definitely worth discussing and, actually, raise issues that we had tentatively brought up to be on our work plan for The first quarter of our time to gather. That includes how to operational lies some of the new accounting for disclosure provision of provisional IRA and the provisions that were in ARRA and also security practices and policies. I thought it would make sense, given that these rules have a, period of 60 days, which is rather generous, but we have no slightly shorter time period that if we want to keep up to the policy committee some recommendations that we would seek their endorsement on before forwarding them to reap ONC and CMS, in my view it is a more powerful set of comments then what was put forth in both of these roles. So, with that, what we sent you in the agenda were links to what is called the pre publication version. What that means is it is the version before it is officially put in the Federal Register, but still available from a public source. I notice that the links were not working for need to well over the weekend, so I sent you the hard copy documents. I took the liberty to highlight for you, because they are really big roles, some of the areas where the privacy and security provisions are discussed in some more details because of the page numbers will not work for get you any more, once the official rule appears in the Federal Register, because the page numbering is a little bit different. Nevertheless, it should do for as for a if you days, and I will ask my Policy Council she will find the page numbers in the new rules when they are published. The bottom line is if we are going to seek to put before the policy committee some recommended-some specific concerns that we have addressed in these rules before they are "finalized "now, we should do that and be ready to do that before the February policy committee meeting and we do have at least one or two more cause schedule before that. There is time in which to get that done. I want to at least began discussing and start collecting issues and concerns on this call, today, with the hope of putting before you some strawman, strawdog proposals for our next call. Specifically on meaningful use, what you have there it is-I am really focusing on what providers and eligible professionals, which are the individual providers and what hospitals have to demonstrate in ordered to be eligible for federal funding under ARRA and the measure is broadly-their objectives, but the measure is in my view where the rubber hits the road, what they will have to demonstrate it because that is that they have to conduct or review a security risk analysis per the security role, and implement security updates as necessary. I presume that this is reported through [ indiscernible ], which is how most of the meaningful use measures are reported to CMS. The certification criteria, which on a broad level of those criteria that have the technical functionality that has to be it in the Electronic health record Technology in order to support achievement of the meaningful use objectives and, to meet the Pope seems to be more on some security measures there, including encryption, and the corruption, decrytpion, mechanisms to make sure the information has not been altered in transit, authentication and an ability to record certain information on disclosures for treatment, payment and Operations. This is related to the changes in the accounting of disclosure requirements that were part of the stimulus legislation. For those of you that do not know, currently people have an ability to get an accounting of disclosures from their medical record, but the treatment as any disclosures for treatment, payment for healthcare operations as defined in HIPAA, did not have to be included. In ARRA, Congress took that exemption away and said to ONC, you have to develop a technical standard to facilitate the reporting of these disclosures and, consequently, the Office of Civil Rights needs to come up with a regulation that specifies in more detail how that will get operationalized. I will stop there and open this up for comment. We have some no takers here I want to have a Rich discussion about issues, concerns. Is it sufficient? Is it not sufficient? Is there enough of a connection? What is missing? Are we happy? Again, we will come up with notes and structured a discussion that might lead to recommendations on our next call. Rachel, I have been talking for a while. Is there anything I missed?
No.
John Blair: Is it too simplistic to say in beepers peas, initially, for the providers and in the second it is a system capability, technical system capability?
That is exactly right not comment on.
They are declared in the certification criteria that they are two separate rules, the certification criteria, and interim final rule is only about the functionality that has to be in the system. It is not about whether you use it at all.
In the document that came out last week and the second piece on the system capability, my read is that if you have a certified system, that will take care of it. They point out that by having a certified system, it does not take care of your HIPAA requirements but this piece on the security.
And Dixie: This comes up time and time again in work on the standards committee of. ARRA requires them to things to get reimbursement. That one is that an eligible professional or hospital has to acquire certified Technologies. That is what the standards document specifies the requirements for data getting that technology certified. A vendor would be most interested in those standards. Of the second thing required is that they demonstrate that they are using that technology and that technology meaningfully it. That is what the technology measure should apply to. That is what the individual organization should the attention to. Standards are for of vendors or those developing systems and meaningful use criteria is for the users. The point that I often point out is that there are, it just because a capability, and technical capability, it is in the technology, it does not mean that it must be used or how it must be used or anything like that. For this group, we should be paying attention to the intersection of the technology, given that they have record contract acquired a certified system, what do they need to do to that certified System, with that certified System, to use it meaningfully?
Practically speaking, how will you test for?
We will not. Deven blessing to us by attestation.
Paul: The summer you gave about certification, Dixie, was very good. I am one of the co-chairs of the certification group. The concept is the are technical capability is. The issue about how you tell whether or not someone is using them is a very good question. It is two questions in front of us. What should be in the section on meaningful years, privacy and security? What is written your dad, it is it adequate? A separate question is if the certification for privacy and security, is the criteria adequate? These are two very different things. The certification work group, basically said that the certification criteria for privacy and security should be robust and allow for get any purchaser of the systems to be able to fully complied with the law, the lobbying HIPAA, the lobbying any other law or regulations that might apply to the privacy and security. By saying it should allow the user to do that is as tough and I said, does not mean that the user will do it. This is just a technical capability.
Paul: On the user side, the meaningful use side, the criteria that CMS proposed is that the organization do a security risk assessment and act upon that. That is the test on the user side. It would be very interesting from the policy committee to have as workgroup's feedback or comment on that NPRM for the privacy and security section. As Deven pointed out, we will provide something back to CMS, indirectly. It goes to ONC because we are an advisory to ONC. The comments on the rule that you have two opportunities to advise future recommendations. One is to the comments on the NPRM, or the IFR, and the other is to and strategic objectives to ONC through our workgroup.
What bothers me about this, this is just coming context bang-theoretically, I believe-this is Dixie. Periodically, what they say in be meaningful use should be adequate. You do a risk assessment and identify with your own abilities and risks are and use the technical capabilities that are in or technology to counter those risks. What we know from the Security hearing we had for the standards committee is that 48% of the people who responded in the 2009 survey, which were mostly large hospitals, 48% do not do an annual risk assessment. So, up and sell that testimony, I for one bought most people were doing a risk assessment and would look this and say that that sounds pretty reasonable. The fact is they are not doing the risk assessment to begin with, which makes me question their capability or motivation to really even to this measure that is in be meaningful use.
Paul: That is a good comment, Dixie. One question I have is, do people know what a risk assessment is? Should there be a greater definition of what risk assessment as?
John Huston: I agree with Dixie. There are wide variations to compliance with things like HIPAA and ARRA and institutional maturity around the whole idea of risk assessments and compliance, for that matter. It would shock people to know how not complain Institution scholar.
Isn't this an opportunity to affect that?
Yeah. What verification do we have the ones they do a risk assessment, if they know what is, what measures have been put in place to rectify that? Do we have a way, other than attestation to know that measures have been put in Place?
Rachel: That is not very fair comment, if you take this out of context. I would point out that the entire stage one, and please correct me, Deven or Paul Tang, if I am wrong, is based on attestation.
Peter: That is correct, Rachel. I was talking and was on the back and could not understand why my voice was not coming through.
[ LAUGHING ].
Peter I should have the problem more often.
[ OVERLAPPING SPEAKERS ].
I could not see. Once they go past and the pass meaningful use we would have the right to expect other information about what vulnerabilities were expos in a risk assessment and what remediation tasks were taken. Right now you have to do is not test. As Rachel said that is the schema for meaningful use. We want to make sure it is doable by most providers and can be implemented by CMS. Going into state two, my hope is this work group will come up with, just as other workers are coming up with, more robust measures for stage two M3 and make sense to show that people are not as clicking a box and signing a form and not knowing what they are doing.
Are we assuming blind attestation?
No.
The attestation becomes real?
Of course it is.
It is under penalties. If you all caught--
That would change your 48%.
I think the distinction does this is John?
Yeah.
The distinction is that-I will speak to providers, I am more comfortable with making of blanket statement like that because I am one, and a provider might click a attestation that they did something with an allergy last and most providers know what that means. I think most hospitals know what a Security assessment is. Most providers would need help providing what a Security assessment is because they might let it begin to have done one by checking their server is la in a Room and think that is the security assessment. I would say that, yes, attestations are taken seriously, but his true that there might be a certain level of providers that do not fully understand what doing a Security assessment is the map that is my big concern. I am not as worried about patch fraudulent attestation--
I am not as worried about that if they truly audit does and not as worried about the larger institutions to invest that did not do it before or you have the 48%. My concern is, as you point out Peter, the small practices, that the really even understand what this is. To me that is the biggest lift.
Paul Tang: Maybe I can a format for are you can package of your recommendations going forward. The three opportunities: One is the comments of the NPRM. But CMS through ONC would really appreciate it if you have a comments on the proposed rule, what is your alternative? What is the rationale behind the comment, and what is your proposed alternative and the rationale? If we are saying that attestation is not good enough, what is the alternative? What is the rationale? There was another opportunity mentioned that in 2011 this proposal, maybe in 2013, 2015, it might look difference because we are looking for get your guidance on what you would propose for 2013 and 2015. The Strategic Plan for updating ONC, what was most recently mentioned was that we need to educate, particularly the smaller practices without the large number of FTEs or support, what does it mean to conduct a security risk assessment? Is that something that the regional extension centers can help with? These are examples of concrete ways that this group can for a recommendation of to the policy committee.
John: Can I suggest that one other thing? There is an interesting dilemma here. Under ARRA there will be increased audits that will occur. I think it would be-the question is what would happen if someone attests to having adequate security team that plays and going through the risk assessments and the like and some incoming in and doing an audit and finding out that they did not comply and the Organization of having already received additional funds through this, through the meaningful use-I guess the question is, how is the payment of those fund-are they going to be asked to give back funds?
One of Deven's brainchilds is the proposal she made to the meaningful use workgroup on how to enforce this. She came up with the proposal that your meaningful use incentives would be held back if you were found not to be in compliance with, for example, the date will security rules because that was taken out in this NPRM. It would be interesting to know from this group, as a Group delving into this particular category, what your thoughts are, what your comments are about that change.
Peter: I think it is two separate questions, unless I am misinterpreting what you said, Paul. The current rule even for attestation is all or no. Providers and hospitals need to attest that they are compliant under every attestation under ARRA to get the money and if they are not compliant with security or privacy rest, the meaningful use incentive is withheld. I thought the other person on the phone, I forgot your name, was asking what happens retrospectively if an audit was done and you attested to everything, so you got your payment and paid them by audit you have not done something, which can be separated into, was it willful, balls used and you said yes and did not do it, or you attested to get, but it was not adequate. Those are different, and my interpretation based on how Medicare, rather CMS deals with other payments that are found out later by audit to be inappropriate is they ask or get the money back, sometimes with penalty. That would be my expectation for a false attestation, determined to be false, respectively, by audit. I would hope that would not, necessarily, be done with a attestation done in good faith and was done because of ignorance. However, based on how CMS deals with other payments, ignorance of a requirement is not an excuse for not having done it correctly.
The other thing to keep in mind is that meaningful use and whether your attestation for any of the criteria are accurate and not false, that would be up to CMS to determine. They oversee the meaningful use program and the payments. However, the increased responsibility on the Office of Civil Rights to audit is with respect to the HIPAA privacy and security rules. On the one hand, if a OCR audit and uncovers any security rule violation, unless there is a connection to the meaningful use payment, that does not exist today, their debt would not be any impact. What Paul was explaining was something I have suggested that if you are an entity that is under formal investigation for a HIPAA motivation, you should not be getting payments, even though they are coming from CMS under the theory that this all out of the federal Treasury in one bucket or another, until that gets resolved.
Paul: It is an interesting discussion but seems to me that the topic on the agenda that we need to discuss is is what is written here in meaningful use and NPRM with attestation about the security audit, is that adequate? Do we have any comment about that? That is our number one issues. The other issues are important and interesting, but this is the number one issues. Isreasonable?
Kathleen: On that note, I was wanting to know if Dixie thought that having providers purchase certified EHR technology that meet the security standards stated in the interim final rule would give them a leg up on what they should be looking not from a risk assessment point of veal and, possibly, move them closer to being able to do a reasonable job on that? Can.
Dixie: Obviously, it will provide them more technical-each got one of these products will the security capabilities like authentication and access control and auditing, etc., as required by HIPAA, but comes back to-I think it was Paul the confirmed that people are not doing the risk assessment to begin what. I suspect most of them today have the capability, the technical capabilities to implement security functionality that is needed, but are not doing it. I think that is the big issue. I think we might be able to do if we could reach out [ indiscernible ]. Additional press risks of having a EHR introduced into an enterprise that they did not have before.
Paul: Can I ask you more questions on the existing security requirement to get a risk assessment done, Dixie? Is that conducted internally or do you have to hire an outside entities to do that assessment? Is the rule specific on that? Is there any guidance on what an appropriate risk assessment would look like that might be out there the providers might not be aware of it?
Dixie: The rule, itself, does not say it has to be external. It is an internal risk assessment and you have to do it manually. You can go up Google security risk assessment and the debt is plenty of information out there. They are just not doing.
That is right. Getting to the question that people brought up earlier is something that I want to try to get more information on and try to shape into a recommendation. Guidance for these providers and, mainly the small ones that are not doing it because they have no clue--
Judy: I am wondering, and I do not know if this helps you because you might have to do things in a certain order, but I am wondering if we are putting the cart before the horse. Testing for privacy and security depends on what we decide we have to do it electronically. It could be anything to opt in or out to check that to a whole complex list of things that might take several thousand hours. Until we know what it is we are testing for, it is hard for as to say that because you're enterprises and large organizations can deal with a thousand hours or several thousand, but the small ones, of course, would struggle.
[ OVERLAPPING SPEAKERS ].
We would not ask people to do risk assessments for policies that are yet to be developed. What they are being asked to do is not security risk Analysis for per existing law. They do not need to speculate about what we might decide in the future. If there are for their policy developments, ideally, author of recommendation that it promulgated, that changes the dynamic.
That is what I am saying this because we have to keep that in might. The two things work together is because of the complexity of what we do later on will affect the testing.
Paul Tang: In the question about the security r ole, team the preamble to the rule, they did explain how, depending on the complexity, it can be a big thing for in smaller settings does it can either be done by your own staff or external parties.
Right.
What was not available when the HIPAA Security came out where these [ indiscernible ], for example. Since they target the smaller practices, maybe they do come up, get one of their central, national tests is to come up with guidance about security audits. That could be very useful for that small practices and can even label it as the target margent patch [ OVERLAPPING SPEAKERS ].
I understand.
The 48% on all large hospitals.
Dixie, I was not commenting on what people do or choose not to do, it was more the resources to have a Security audit Plan in Place. These smaller practices do not have that, uniformly. There is a separate issue of whether people have an audit that is another dimension.
In the small practices, it is probably 95 plus%.
Gail: I would also like to comment on the smaller practices that are limited to the primary Care. There our a lot of small practices out there that we want to be a part and have a EHR. You need to make sure that there is a it wait to educate all practices, not just the primary care practices.
I think the RAC was just an example of mechanisms to do this. I think it will have to be a part of routine implementation across the board.
What RAC can do for primary practices is create a work bug or handout that can be utilized by other practices.
All of these.
I would wager that 95 to 100% of practices under 50 doctors do not do--
Of course not. They certainly would if they knew what to do. If I can invoke the word "reasonableness "Mack, if it was relatively simple or they could designate their office manager to do, they would welcome that as part of their annual workflow.
That was that one of the points on Paul's comments on the three pieces, the attestation, 2013 and Education.
Thankfully there is not made vehicle for. It is not a perfect vehicle given that it does not cover everyone, but not better start than what we might have if we did not have that piece available. What about the connection to the certification criteria? Someone started to raise the point earlier in our conversation. We had the new technical functionalities that the electronic health record technology now has to have in ordered to be certified but is not-those are not connected in any meaningful way, forgive the FTE police security risk assessment, not in an obvious way. Was struck me with the standards in my limited experience - - no requirement to use any of this.
That is the meaningful use requirement. There should not be patch I am not suggesting, Dixie, that you put the requirement in the certification piece. What I what like to discuss it is if there is some room for some requirements to use these technical functionality is either as part of meaningful use or something we would recommend to OCR to updating the recommendations or guidance under the security rules patch [ OVERLAPPING SPEAKERS ].
I would strongly concur with you on that, Deven, that there should be more specific measures of using those securities standards and would note that access controls do not appear on those lists that appears to be a huge gap.
Can you tie that in would hurt you clarify the risk assessment?
That was the intent. But the question is whether we want to add-and it is a valid one, whether we want to recommend additional specificity to the meaningful use of Employment Security updates as necessary. Do we want to provide some specifics? For example, here is a good example. The criteria standards require that they be able to speak. Do we want to say of the meaningful use if you'd start a PHI on a mobile device or the U.S. The or cell phone or whatever, that the dates that must be encrypted versus data that is on a server in a data center of that is not subject to as much risk of inadvertent disclosure as something that is on a mobile device?
Paul Eggerman: Your comment, Dixie, is a very good comment and I want to get back to the two issues that Deven braze which is the disconnect between the certification criteria and meaningful use-what you are saying, Dixie, as the requirements to use this stuff. On the first one, on the disconnect, I did not see that as a problem. You see the IFR for privacy and security should be more robust than what you have for meaningful use because you cannot test for everything and will not require meaningful use measures on everything. I think it is okay that there is some level of disconnect. The issue of the required use, which I think you are referring to, Dixie, is an interesting issue. What I did not understand and the whole long description with encryption that came first, this is what we would like you to do, but you do not have to do it. Of would like to turn that around and say that this is the minimal requirements. You have to do this or something better within the certification process. That would be good. You did not, necessarily, have to connect everything you do in the certification process back to some meaningful use test.
If you call that out in the risk assessment and have the minimum thresholds, does that do that?
I think that is an interesting question is because this is Deven. It is not entirely clear to me what implementing security updates means. Does that mean having the functionality is present in the technology you are using or extend to using it? It feels like the dots are not fully connected.
If you clarify it, does that get what you need?
I am also asking them bigger question that goes to Dixie's point but not thinking about it in the specifics she raised. I think there is only so far you can go with the meaningful use and criteria you are setting because hospitals and doctor plans and other eligible providers have to meet every single criteria to be paid their meaningful use. If you load too much up into the bucket, and this goes to what Paul Eggerman was just saying, we will be in trouble. That is not, necessarily, the only policy vehicle we have for strengthening security. We could also make recommendations about the security rules. That is not within the policy committee purview, per say. That makes an important statement about how merely having the technical functionality that does not get you to a more secure detent environment.
If you have the technical capability and attestation through the risk assessment that calls out certain things, specifically, as minimum requirements, that starts to get you there and the 2013, you can move to testing.
Gail: My point is that security and privacy are absolutely the foundation of getting the public to buy into the whole concept. If you want to call things out and want to really put meaningful use requirements in, this is the one area that you need to do it, very specifically. We need to have a stronger meaningfully as component in privacy and security than anywhere else. Yes, it does put a burden on providers and hospitals, but this is the one area where it is required to do it, even beyond attestation.
Paul Eggerman: Those are good comments, Gail. In my observation is that you can do some of these on the certification site. If, for example, you say that all electronic health records have to be certified that they encrypt all of the data that is stored at rest, it is very hard for a small group to buy a certified record and run around that. There is no reason to do that if you put it right into the certification criteria. That is the place where you can put the specificity about what you are looking the, Gail. The thing that gets hard is privacy. It is not a technical issue, it is all about policy. You can do everything you want about security and encryption and all kind of fancy words, but if people do not have the right Policies in place, they put their passwords out on the computer to see what the password is, their dad is not much we can do about that. It is not a technical issue or even meaningful use issue.
They never had a attestation audit in remediation before.
The audit--
There has been an audit.
There our medicare audits.
Different audits, Gail.
Dixie: Deven, your comments about recommending changes to the security rule, itself, if that were truly an option for us, I would think that is the way you would want to go. What you would want to do that's actually, our committee talked-out or work group, on the standards committee talked about this, we know in the security rule there our a number of required standards-and they call them the standards, require provisions and are even more that can be addressed, it means that they get an option whether to implement them or not. That was written the late 1990s, right? Has organizations are implementing EHRs, is this a the time to go back to those that can be addressed and make some of them requirements?
That is, essentially, what I was hinting at. The policy committee that we report it is not an official advisory body of the Office of Civil Rights, which now has oversight over both the HIPAA privacy and security role. Having said that, we reached out to Sue who is the deputy director of the Office of Civil Rights just to see if she was interested in hearing from us on recommendations for implementation of the accounting for disclosure requirement is because she said, sure, yes. We have limited ability to cry foul if any recommendations we would send up on the security role were not adopted, because we are not an official recommendation body for them, but the doorway has been opened and we would be really confined with what we can do as a work group of some recommendations with respect to the basic set of rules that cover this data at a federal lover were off the table.
Paul Eggerman: Those are good comments, Deven. Question I have, we are supposed to see if we will make no comment about the NPRM. What is written in the deficit is okay, but we are not that excited by it because of other issues, so we need to go further. We think what is written in the NPRM is okay.
We have some suggestions of what we would do-it more on the education side and making some comments with respect to state two, which we assume is about 2013. I do not think we are, unnecessarily, silent on that. You are right, if we are going to go to making recommendations on the security role, we are not confined by the time frame of comment on the rule that excess.
The question is for stage one, what is written in this NPRM, you have to [ indiscernible ] whether you have done a Security audit, are we happy with that? To do we want to recommend any changes to what is written there?
Dave: We have talked about security pretty thoroughly but have not talked about privacy. The second goal is that also requires a measure.
Back to the earlier comments, how do you measure privacy?
There are issues around transparency of data sharing that could be attested to.
The but to it is it is easy when you are checking of things. This has hundreds of thousands of providers. I am worried that it cannot be reasonably measured.
Kathleen: Are there some federal laws that many providers are supposed to be able to support for privacy that we can tests for example, whether a provider can support a 42 CFR directive?
Are you talking about underpart two? That is limited set of providers that are subject to that.
Right. Are there other ones we can use?
You can point to HIPAA. That is where the whole question of audits, and in. What happens if someone attests to it and CMS comes in and audits them and says they did not comply.
Another example I am thinking of is in HIPAA you have to be able to support authorization to disclose to the Social Security Administration, I believe the. Is that correct, Deven?
There our a whole set of authorizations required, certain data users require a certain authorization and under certain state laws that already require consent to disclose certain types of information-if we did not do another thing on that issue, there is already law.
The question is outside of a complaint, how is that being chat pod?
That is the only way it is being tapped.
Okay.
Deven, the comment that I do not know who it was, about transparency.
That was Dave.
Hi comment Dave. Does the outcome priority of aiding the patients, does that come within our review?
Well, it does not, per se. What was your comment, Dixie?
Dixie: They have some specific measurements, percentages. I thought that was what he was addressing.
Deven: This is different, Dixie. If you look a particular set of goals in the meaningful use rule. This came from the matrix appear until an approved by the policy committee, what are the care goals that should be achieved? The second is to provide transparency of the data sharing to the device because that is different than p roviding patients with copies of their data set.
Dixie: He is saying that they have no measures addressing that and not all?
And the: Not only is there no measure but no objective.
Dixie: Oh.
Travel: In stage one. What you do have, of course, is a requirement to provide them notice of privacy practice under HIPAA. I think the main lot of people are less than satisfied with that on both sides of the fence and find it not to be terribly useful. That is what we have as of today.
Sarah: What did the committee recommend for this committee?
We have some things to say-what I have said is based on the comments that this is not our first bite of this apple and I would put together some strawperson, more recommendations so people can review them before our next call and finalize them. They were in the area of finding more mechanism, whether to the regional expansion setters of the centers or otherwise to provide better education about to do an appropriate risk assessment.
No, I meant-didn't the first policy committee provide recommendations for meaningful use?
I still do not understand the question.
I thought there were measures that were initially made by the policy group in August, or whenever that was on specific meaningful use measures and one for privacy. I do not remember what it was. I could be completely wrong.
I am getting it out.
Kathleen: In the NPRM, on that one of the tables of the meaningful use measures, it is the capability to exchange key clinical information and is for the eligible providers and hospitals and the description is to store, send and receive key clinical information, the information transmitted to the providers and patient-authorized entities. I wonder if [ indiscernible ] looking at support for privacy.
What are you looking that, again?
One of the tables and in the CMS NPRM. I can send this. I have it taken out of the actual document. It talks about having demonstrated ability to store, send and receive information and says transmitting it to be providers and patient-authorized entities and seems to call for the ability to use the patient authorization to decide how information would be transmitted.
That it's to the consent question that has longer and the larger ramifications. We are not going there yet. That is not necessarily a hook for the issues we have not fully gone through.
I do not think his consent. I thought it was the HIPAA authorization forms. It is in the list of meaningful use measures.
I think you are cherry picking something out of that has to do with--
[ OVERLAPPING SPEAKERS ].
I am not sure that we need it.
I was looking for get something-was there anything in be meaningful use measures that related to the privacy? Of was wanting to highlight that particular one. I do not feel like I am cherry picking.
I think Sarah's question was related to the privacy and security category of the use the matrix and sounds like you are quoting from is from another category.
This is out of the role and Sarah was talking about what was in the matrix. In 2015 there was segmentation and others for other periods.
I say nothing for the first year.
I think the first year and was just HIPAA privacy.
And the risk assessment. As we discussed earlier, the compliance with the privacy and security piece is full compliance with the rules, that was the piece that did not get picked up by CMS, but they did pick up the one measure for 2011 that was adopted by the policy committee was conducting or updating the security risk assessment.
Okay.
Coming back to that issue, I think Kathleen's point is taken. One of the ways of providing transparency to the patient is through a consent and authorization process and is something that one can attest to, not the only way, but certainly the starting point for stage one. That is one of the ways you can get that issue.
Can you explain more what you mean by that?
I think the concern that the terrible is speaking it is that patient's information should not be disclosed without their knowledge and consent.
It is not, Dave. Is Paul Tang still on the line?
I am.
This is the question we are talking about is the care goal identified in the meaningful use matrix in the privacy and security area, specifically of providing transparency of data sharing to the patient which was an established their goal. The only objective is that were established where compliance with the rules of HIPAA and the fare data sharing practices in the nationwide remark that we discussed earlier in the call with measures being limited to the full compliance and conducting or updating them security risk assessment. I do not think we intended that the transparency provision to mean consent, per se. We recognize that was a bigger issue that would need further discussion to resolve.
I think you are right, Deven. That was a little bit like what we now call principles. One is for the patient to understand how their data was used and disclosed. That then translates to the principles that this group is talking about in terms of the previous remark and goes into-right now, HIPAA privacy and security-another thing for this group to think about is EHRs, in the sense, in addition to what we have done with EHRs, we have the whole category of engage the patients and family. What is going on is we are giving access to and use of their data with the electronic tools and applications. That automatically says there is a notion of a PHR going on and would imply that the policy and security were group, this workgroup, might have something to say about Us and protection of information as it is disclosed to PHRs. That is something that we are already open up with meaningful use. Here is the thing with consent. We will absolutely take this issue on. It has a lot of very complicated components to it from what is capable with respect to the vendor the standpoint to the policy we have in place today and what we should be pursuing in the future. I promise you we will do that and the only reason we are not starting with that is because there is some architecture of HIN issues currently being discussed upon which recommendations are being formulated by the [ indiscernible ] workgroup and we decided we would hold off on beginning those conversations until we had more direction on what this network is going to look like. We will bet there. It does not do justice to the issue all, I think, to shoehorn into this space when we have not, necessarily, and conversation about it. I am trying to think of what, if anything-we should think about what to do about this data sharing transparency issue, which is another important issue and include when an individual has the right not to consent, and when they do not, I think to try to take it on in a bigger way as part of this discussion to inform comments on meaningful use, we would never get it done in time.
Kathleen: I am wondering-it sounds as if the architecture of batch is setting parameters for what this committee can discuss.
It helps to shape-a consent discussion is better informed if we no consent to what. What are restocking about? It is has brought with data sharing and any capacity. On the other hand, certainly the way it has been shaping up, nationally, over the past couple of years, it has been enhanced with respect network participation. We were told that the NHIN work group would have concrete things to say early in is year and made sense to not, necessarily begin those discussions until we had further information from them. I need to do a double check on where they are headed. I am not sure they are as far as we thought they were going to get and do not want to put this conversation of for much longer, because it will take us time.
Paul Eggerman: I agree with what you just said, 11. We need to know the men lot about where NHIN is going as we define privacy policy. Otherwise, it is like the card before the horse. I am also looking that the time clocks. I know we have to start the public comment section in a couple of minuteses and vote and and most of this discussion has been under and then on the deficit on the meaningfully aside and elm wondering-we have done very little discussion on the IFR piece and probably we do not have time to discuss that. We need to Mark that for some additional discussion for a future meetings.
Absolutely, Paul. I agree with you and invite people to-I actually started to hear Kathleen raise some concerns about something she thought was missing. If other people, between now and our next call, which is in a couple of weeks, if they have things to put on the table, and to meet early. It will help Rachel and I structured the agenda so we make sure that we get all of these points discussed. It will always be a challenged with the number of people we have in the group to moving this forward. That cert piece is a powerful public policy tool that we have. The question is, is it being used correctly for as privacy and security piece that we all agree is critically important? That is an important issue to put some attention to.
Was Captain's comment about access?
Yes.
Send me it something, Kathleen, since we are talking about your point that we did not get to raise.
Rachel: I have been listening carefully. Maybe someone already made this comment or conclusion. I wondered in terms of dealing with the more narrow question of the transparency, if part of what we are doing is try to crosswalk the certification criteria to meaningful use, since the certification criteria it does address the auditing of disclosures, I wonder if there should not be, perhaps, a recommendation from our group, if there that was consensus on a meaningful use measure relative to the certification criteria?
That is what I was going to say it. We have been pointing out how it be provided transparency has no objectives or measures. That is really where the hook is. Accounting for disclosure is not mention in the NPRM, just mentioned in the IFR. This is where it really relates.
I do not want to keep harping on it, but that gets into the thing that I said about risk assessment. If you start to include those things as minimum requirements for everyone, doesn't that gets at?
Yes. We have to go through the list of what we think he elements are and I am not sure-Is that one thing to have a security risk assessments and act on it, whatever that means, but I am not sure if I would assume that that security risk assessment would assess the patient's access to the audit log back for disclosure.
If you look out the NPRM now, page 64, you see it has these two [ indiscernible ] and only has that one objective that says addresses both of these. I would argue that protecting electronic health information through the implementation of appropriate technical capabilities does not, necessarily, include the accounting for disclosures.
Also has different time frames for implementation that we will have to think about in terms of crafting something.
Right. We should consider recommending that we had accounting for debt disclosure as an objective.
That is a duplication of the extension to HIPAA that ARRA added. No longer is [ indiscernible ] exempted from the accounting for disclosure. It is already done. May be the language can be strengthened to say it is not just the date of security piece but also the privacy Rules.
Yes.
Which has been modified by ARRA.
Looking what is in the NPRM, it does not mention HIPAA patch all, protect electronic health information, created and maintained through the implementation of appropriate technical capabilities. Accounting for disclosure is more than technical capability.
I think, if I remember correctly in the preamble piece it talked about one of the reasons they took HIPAA out is that it already exists and people are expected to be compliant with it. That is what I am saying. You are right now, maybe not suggestion is to tie HIPAA as part of meaningful use. It goes back to Paul's o point, you need to be him compliance with HIPAA, privacy and security.
A Cross reference.
Adding another but duplicative requirements.
We said we would not want to duplicate it. We are eating into our public comments period. Rachel and I will definitely talk about this more and try to bring things more specific for your consideration for the next call and spend more time talking about the security standards that are in the certification criteria. Send in any comments that you could not squeeze into this limited amount of time on the call today.
When is the next call?
January 22nd, the clock read 12:00.
Thank you.
Let's bring the public in.
Can you do that, Allison, and if you have any final remarks well she opens that up?
To
--It is hard to separate these issues out from the others that we can tackle in this time period. Again, we will continue to do it the best we can. I cannot emphasize enough that this issue of consent, it is on lot of people's mines, we will deal with it and in a very comprehensive way.
Great. , parade and an operator, are there any public on the line for comments?
No, nobody is on the line.
Okay.
We will give people a couple of more minutes.
The next meeting is from 10:00 to 12:00.
With the prioritization of timing, it goes without saying, but I will say it while we are waiting, it is that some sort of a summary of potential issues or clarifications on the two rules would be the most important thing for get us to tackle our next discussion.
Yeah.
So, if members of the committee have specific suggestions about some of the things they commented on during the course of the call or other issues, get those to us before the next meeting. That would be the most timely way to ensure that those will be addressed.
As soon as possible. We will have to start putting an agenda together.
It is very two weeks.
Just to reinforce what Deven said about the timeline, the policy committee is expected to give the deliberation on the comments on the NPRM by the next February meeting--
February 17th. We will be submitting to ONC, their comments by March first. That is to keep with CMS's timeline. The digested information from this work group needs to reach the meaningful use workgroup in time for it to make it presentation to the full committee by the February 17th date. It is not a lot of time.
Privacy and Security Policy Committee Member List:
- Deven McGraw, Chair, Center for Democracy & Technology
- Rachel Block, Co-Chair, NYS Department of Health
- Paul Tang, Palo Alto Medical Foundation
- Latanya Sweeney, Carnegie Mellon University
- Gayle Harrell, Consumer Representative/Florida
- Mike Klag, Johns Hopkins University, Public Health
- Judy Faulkner, Epic, Inc.
- Paul Egerman, Consultant
- Dixie Baker, SAIC
- Paul Uhrig, SureScripts
- Terri Shaw, Children’s Partnership
- John Houston, University of Pittsburgh Medical Center
- Joyce DuBow, AARP
- A. John Blair, MD, Provider
- Peter Basch, MD, Provider
- Justine Handelman, Blue Cross Blue Shield
- Dave Wanser, National Data Infrastructure Improvement Consortium
- Kathleen Connor, Microsoft
Rough Draft Transcript:
Good morning and welcome, everybody to the privacy and security policy work group that is a work group of the HIT policy committee. Remember that this is being conducted in the public and the public will have opportunity the end of the meeting to make comments and, worker meetings, if you could remember to identify yourselves when speaking.
Rachel. For those of you that do not know, the Office of the national coordinator has established a policy whereby the work group meetings in addition to the policy committee and full standard committee meetings will be conducted open to the public. That does not mean that we could not if there was not made strong policy reason for that closing a meeting do so, but for the most part we will operate in our meetings with the public fully invited. They on the mute for most of the call but reserve the last 15 minutes of the call to open it up for public comment. Does anybody have any questions about that? Again, I think his and a welcomed the change and, personally, but does require us, it in Edition for it be easier for network group members to know who is speaking, it is important for get you to identify yourself so that all the people on the light know who you are. in, with that, we will move into the first item on the agenda, which is finalizing our workgroup charge. These are changes that originated with John Huston. There was one more addition of the word "collection" in the very end of the charge that was suggested by staff. Bank a lot of people were supportive of these changes when we circulated them by e-mail but given that not everyone had a chance to wait in, I wanted to spend time this morning making sure that everyone is comfortable with the wording and we can finalize it and move on to other business. Does anybody have any questions or comments or further suggestions?
This is Kathleen. Is it showing on the webinar? I do not think I got it.
It is on the annotated agenda. I will read it in. Make short-term and long-term recommendations to the health IT that will help build public trust in health information technology and electronic health Information Exchange. Specifically, the worker will seek to address the complex, privacy and security comments to the development of proposed policy, governance models and solutions and approaches that enhance privacy and security will also facilitating the approach recollection, access and use of health information to improve health outcomes.
Can I ask a question?
Sure.
In that list, the disclosure is not part of the best?
The term, Exchange, is used. To me, that includes disclosure.
I would just caution that the caution about that is the in the privacy principles and general principles in the literature too the terms of word "disclosure" is used and that one could exchange health information without using that information. For example, when it is in transit through the clearing house where they might look at the header but are not using or accessing the information. That would be my--
This is Paul. I agree. There is not lot of confusion about the word "access" use in the literature. It is easier to throw all three of them in.
I do not have a problem with that. Does anyone object to that in the workroom?
Can you repeat that?
It is towards the end of the charge. It goes with our development of, again, proposed policies and models and solutions and approaches that enhance privacy and security will also facilitating the approach recollection, access, use, disclosure and exchange of health information to improve health complex.
That is fine.
We have Gail on the bond, and now.
This is just from blue Cross. In the first sentence, it can we add where it would read it will help build public trust in health information, technology and electronic health Information Exchange and ensure the use to improve healthcare quality and efficiency? Part of what we do is to not only build the trust in it but facilitate the use.
Right. I do not have a problem with adding that. That is exactly why the specifically whined says that the solutions and approaches enhance privacy and security will also as facilitating the use.
This is Dixie. Can you read that?
If you could read it again, that would be great.
Instead of exchange in the first sentence, you would add on and ensure the use to improve healthcare quality and efficiency.
I do not believe that is the charge of this work group is to ensure the use.
This is Kathleen. Make it authorized the use?
This is Peter. I would agree. That exceeds the bounds of the workgroup.
If you put "enable" I would be okay with that.
What about facilitate?
That is the point. But of having the role of privacy and security safeguards is to get people comfortable with using it and think that is important to help facilitate. I am fine with facilitate and enable.
It would save facilitate the appropriate use to improve healthcare quality and efficiency.
[ OVERLAPPING SPEAKERS ].
[ Audio/Speaker not clear] application domain--
So," enabled."
I would be fine with that. This is Dixie.
This is John Blair. Is the statement up?
It was on your annotated agenda.
I will pull it up there. Remember looking market over the weekend. It does distinguish access, exchange and disclosure as separate?
Yes.
Okay.
[ OVERLAPPING SPEAKERS ].
It does not mention disclosure right now.
Is not, it does. We just approved that.
With the change, it does.
For those of us that were late, can you restate the sentence?
I also have my trusty sidekick taking some notes over here. To make short-term and long-term recommendations to the health IT--Policies and practices that will help build public trust in health information technology and electronic health information exchange and enable the appropriate use to improve healthcare quality and efficiency. Specifically, the worker will seek to address the complex privacy and security requirements for the development of proposed policies, governance models, solutions and approaches that enhance privacy and security while also facilitating the proper collection, access, use common disclosure and exchange of health information to improve health to comes.
Kathleen: The workload opprobrious," and I find ambivalence because I do not know what it means. Authorize seems to be what is allowed with the regulatory sense. Is there a reason for accusing "appropriate "?
The use of it is that appropriate has some sense that those people who have a need-Well a need to access that information or use it-anyone can be used authorized what is appropriate or not.
I just want-this is Deven. It is a charge, not a statute. The reason why I did not devote them lot of time to doing this is that I am not sure it is a Great use of our time to admit that on the details of this bank.
Based upon best this is John Huston-I would propose that we pass it and get on--
Deven: I throw that in the approach reverses not authorize the date. For a charge, Kathleen, I get where you are going, and John, I get your counter point. I think opprobrium it assumes all of those things.
I agree. I move that we accept it with the changes just made. This is Dixie.
I support that. It is Joyce.
I also, Gail.
I, too--Justine.
Does anyone have any strong objections to as moving forward as I just read it?
No.
Excellence. I apologize if I was Turner's. I heard from a lot of you after our initial call and we have never large group but is important to have a broad range of the stake holders represented and the more focused we can be, one, will advance us further forward in making some good recommendations and facilitate maximum participation. Again, I apologize if I was being to have because we have a group here that can make some progress on these complicated issues only do that if we can be focused.
This is Allison. I would like to remind all. To please turn down your. On your computer. That is what is causing the echo. Thank you.
Thank you, Alison. That is right. Let's move to the next agenda item . What we talked about on our last call was the nationwide privacy and security framework for electronic exchange of the individually identifiable health Information. For those of you not familiar with this document, this is a set of overarching principles taken from a number of different models of fair information practices that have been put forth both in the United States and abroad that was developed during the Bush administration by the Office of the national coordinator and released to the public in December of 2008, more towards the end of that year. People did not get them chance to read it before our first call. There have been some subsequent-there is some concurrent were going on by a separate, strategic planning work group, which involves creating a white paper that expresses some overarching principles in a number of key areas that include privacy and security, drive down to some more specific objectives and moves towards a strategic plan or time line for getting some of that work done this because that is a separate workgroup with some members on this work group also serving on that one. Nevertheless, it is a place where they are working with a-they want to work with a set of principles that then gets parsed into more specific objectives and strategic plans going forward. My hope is that we will continue to work together in a back and forth way on these objectives, more specific objectives and time lines get nailed down. I think is appropriate as the privacy and security were group that we do that. In the meantime, what to do with this nationwide from March, I want to propose something to the work group now, which is to discuss whether or not there are any key omissions in it, but otherwise not towards Met it. It is at the more principled level and to pass it on to the strategic planning work group to be incorporated as the overarching principles that would go into that white paper. I want to stop now and pause and allow Rachel to add any thoughts and open it up for some comments.
No, I just wanted to also, hopefully, to clarify for people that as the document is structured, there is a comments to this on page five is the first sentence after the bold heading that is the stated principle to. The information in the italics, and I am following this correctly, correct me if I am wrong, Deven or Judy, is the explanation that ONC prepared to explain the principles, themselves. The principles are the individual sentences that immediately follow each heading. Individual access, correction, openness and transparency, choice, etc..
That is right, Rachel. This is Deven.
Again, it essentially, ONC worked on this for about two years. Since we are a new work group, it is worth noting if there are any key omissions that we would want to see incorporated in here, but to try to avoid wordsmithing. That is not make radical that we might not recover from.
As the strategic planning committee, they will review that in the context of their work and money sent it back to us that in our discussion we think you might want to discuss item X that was not address in is or might need some elaborations because this might end up coming back to us after the strategic planning committee reviews.
This is Paul. My only comment about the documents because the document and framework are excellent and less things out very clearly but was written before the ARRA. As the result, it does not refer to ARRA and am wondering if that is a little bit of a problem, especially since the document says the patient should have the right to access to their electronic data, but ARRA already gives them that access.
Deven: That is exactly right back. What is interesting is that these are principles for which actually even before ARRA we have some law on. In some respects one can think of this as we actually already have some law in this area that provides some guarantee in more specific ways of how these principles get operational. Never the less, to the San there is somewhat in some areas and gaps in others when you set overarching principles, it can help guide you when making decisions down the road about what is the overarching approach that governs what we do? So, while it has not-I would argue that because it is at the principal level, it does not need to be updated and using your example, Paul, the HIPAA privacy role has always given peoplethe the right to a copy in the format they request. ARRA requires that you get it electronically if people require that and is some limitation on how much you can charge it the goods is not supposed to go into that level of detail. It is a level of them living document were the policies underneath might change, but the principles remain the same and the policies, in Act, are operational liesed.
In looking through all of the difference policies, there is nothing in here that when I read through this, I see that ARRA change that. Nothing--that are still to me, it equally applicable, even now.
Rachel: ARRA said provide specific implementation context and we will be discussing that momentarily in conjunction with the proposed rules. It does not fundamentally alter them.
Mary Ann: I think this is a very well written document and the principles are very nice. As we move forward, however, in implementing the principles, it will be important to keep research uses and disclosures in mind. HIPAA currently allows some disclosure, for example, for research without authorization. I raise that and do not know that we need to change anything in the document to address that, but know that we need to keep research uses and disclosure in mind moving forward. I also wanted to suggest a possible to seek to the charge. Unfortunately, I could not weigh in. My access was blocked but that has been changed, to include research in the charge and where I would like to propose it is the end of the charge where it says to improve health outcomes, including for Research.
I think-This is Deven. The only thing that gives me pause is I am opposed to using the one thing that improves outcome rather than other things because we need to keep abroad and if we are calling out that one thing, it opens the door of. 12 heard from other.
It is understood to improve the health of complex, I am fine with that but do not want it to get lost that research use get appropriate consideration.
Okay. You are okay with not specifically mentioning it but making sure as we shape our agenda going forward to not leave that out. I do not want to speak it is important.
Kathleen: I wanted to point out in the various statements of these principles there is inconsistency about whether we are talking about use of disclosure in a couple of places where stated and under safeguards it is access to use the disclosure but no collection. I think it would be helpful if the group consistently used the spectrum of the types of-I guess access-I did not know the exact term, specific types of submissions to you have collection access, use and disclosure cover consistently throughout the document wherever these principles are stated. I do not see any particular reason why it is one versus the other. For example--
I get when you are saying, Kathleen. Again, to avoid wordsmithing this, how about as we pass this along, we note that the full spectrum of all types of activities were upper plate under an appropriately recognized and the strategic framework workgroup might consider that. We will in terms of our own discussion about specific policy.
Dixie: The difference that caffeine is pointing out relates to date of versus information. You can access data without disclosing information if the data is incorrect it. I think if we were consistent in to access data and disclose information, we would handle the concerns that she has.
They are different rules that applied. Thank you for pointing back out. The other one, and I do not want to white paper--
But.
Action want an explanation. It says never to discriminate and appropriately. I am pondering what is inappropriate versus appropriate discrimination?
For example, Mary Ann's comment about research. You do a cohort search.
I am not sure if that is what was meant. Sect, from ONC, do you know what they were getting there--
Sarah, from Jim, do you know what they are getting at?
No in. I can try and talk to the project officer and find out.
That is a good question.
Some of this stuff-this is a living document. I am making some notes about the easy changes that we can think about.
Deven, I remember that Jody Daniel once mentioned to me that when the Security and privacy workshop and standard committee were looking over this, she mentioned that they, ONC, where in the process of updating it and recognize the need to be updated. Can you get from her the and the specific needs of for update that they already identified?
The latest that Jody said to me is that they are not necessarily updating this document, per se, but by putting this forward, this was the first step and the specific policies and Best practices to operational Is it was going to be more the focus, but we can confirm that. I did not get the sense that there was, necessarily, going to be further changes made to this document, per se. My view, and I said on the strategic planning work group is to the extent that there are some things, some key things we want to pass along to them and basically what we have been discussing this morning, as we say to think about this has you incorporate this or discuss it in the draft of the white paper that will form strategic plan going forward, I think that is all appropriate.
Gail: The one thing I would ask us all to look that is under safeguards when you talk about individually identifiable information should be protected with reasonable administrative safeguards to ensure the confidentiality. What is reasonable? I think that is where people are going to get very nervous is how you define reasonable. Where that leads you, and is it going to be truly protected?
I think that is right, Gail and one of the reasons why we need languid in printable form, and of verging reasonable form, property, those are pretty broad terms and it comes down to when to discuss specific policy.
Gail: I think we need to be very mindful of that. What is reasonable with that one person and an agenda and is not reasonable with another. If we determine things, we have to be cautious that we are making things that our policy that are developed to protect the information. As reasonable as possible, yet making sure there is the integrity of the data and privacy and security are absolute the essentials. That, to me, is the? Of the whole thing, that one work, right there.
[ LAUGHING ].
Dave: I agree. That same word is used liberally.
These are the overall content overarching state. I am not sure what you would replace that with. Again, there are a lot of factors that need to be considered and when you promulgate any policy, the is buzz words, while they make me nervous, too, they are more placeholders for the harder work that we will do, quite frankly, and in discussing what that means.
Dave: The issue of for setting a principle is if it is a minimal standard or expectation for get the highest level of performance. You can take the word "reasonable" out and make sure that these are policy and need to shade the grey, but the overall principle should be the high standard.
I agree with him. I am sorry that that I did not get your name. I am looking that the principles here. In every case you could take that word out of there and that would be the principal.
Right.
Paul: I wonder if it would help, Jan 11, to give context around the strategic planning process, would that be useful?
Sure. Go ahead, Paul.
Paul: This will be presented to the rest of the committee in a couple of days develop four themes. This is called for in the statute that ONC updated the Strategic Plan. There was a work group formed to provide advice on the HIT Policy to ONC. There were four themes that were developed to help shape the recommendations. One is meaningful use of health Information Technology. Two is policy and technical infrastructure. Three is policy and security and four is to create a batch-effective use of HIT. You recognize that this group's efforts, privacy and security occupied and one of the four themes. It is really major. The way that we have organized our work is to talk about the theme itself, to describe it, to talk about the principles and the strategic objectives and delved into the strategy. I think the suggestion that you have so far put forward is to use the previous framework, something like six sentences, as principals, sound really good to meet. As people have mentioned, and lot of work have gone into it and they describe the principals really well and what I think you are also talking about is how to determine what is reasonable. I would not give up the term "reasonable" because that gives the balance between what and where does the the information have to go to do all of those good things, Research, patient care, etc., and protect the individual confidentiality of identifiable health information and sometimes aggregate information. There as always a balance. There is a need for one side or the other. The concept is at the principal level. That might be put into context of you having principles but at the next level you will be discussing, even in this work group, are some of the objectives that you will pass on to the Strategic Planning workroom.
This is Peter. I would second those comments. The word "reasonable, makes people nervous but makes me comfortable as a provider. So, I am not opposed to this three people's arguments about why it should come out, but I believe that principle or reasonableness helps to protect both sides to arrive that better policy.
Thank you to both of you. Again, I would propose that we send these along. The more important discussions will have the particular is and specific policies are where we will make our most impact and figure out how to get these policies right so, in fact, we are facilitating or enabling the use of data for good benefit while the same time, protecting policy. A lot of people refer to that as a balance the coat that is a word that does not always make me comfortable. The notion of needing to have both to do right by patients is even reflected in our charge.
Judy: I have been on since the beginning, but they had me on mute and had to get them to put me on as a speaker. Collection use and [ indiscernible ] that is identifiable health information should be collected and disclosed only to the extent necessary to accomplish and can accomplish the specified purpose and never discriminate. From and Electronic disclosure point of view, I am not sure what that means.
It is a common fair information practices concept. Did not collect any more data than you need to fulfill a purpose for which you are permitted or makes sense that you are collecting the data. You are only supposed to use what you need is because some people have come to refer to this as green use of data, to borrow an environmental term. Do not collect more than you need. Do not disclose more than you need and also is reflected in minimum necessary standards. Does this get into the situation where you have the patient feeling that the orthopedist should not know about her depression drugs and they like they should because I can tell you if I prescribe the wrong thing. Is that this kind of thing?
It does not resolve that question at that level of detail, but instead, it is a data sets stewardship principle that says when you have health information, there are limits to how you can use it. It does not, specifically, resolve the question, Judy.
Judy: Are we going to resolve?
Not today. We will get there.
Thank you.
You're welcome. Again, these are just at the principle level. Hi will propose-understanding we have had some discussion about some things that I think we want to pass on to the strategic planning work group-I appreciate that people were good about not wordsmithing this too much, but I propose that we, with a couple of issues that we raised, being communicated, also, to the Strategic Planning workroom, to go ahead and move this over to them for consideration as the overarching principles that will guide for their work in the strategic plan on privacy and security. This is just on principle level, understanding it does not resolve all the details, and it should not, but just at a principle level. Do you have objections to that?
I would note that I would like a for discussion of the term "reasonable."
Are the right to propose that we pass that along with a full understanding that while for Some people, that is the comfort level, that the balance will be appropriately instruct for others. It makes people uncomfortable and what is reasonable in any given circumstance is what needs to be determined by more specific policies.
Also, you have at your disposal creating objectives. If the principle is reasonable and that is not defined or not precisely characterized, then back one of the objectives that either ONC or the policy committee, even, is to delve into that and say, how do we hear the balance of objectives and create a policy that reconciles all of the need. Clearly, [ indiscernible ], John Huston is the co-chair of the privacy and security committee has done lot of work on it and Deven's Group. There our a number of people that have commented on that and maybe get one of the objectives might be to look that those things as part of this preparation for new policy. Do you see what I am saying, Gail?
Yeah.
We have a principle and objectives can help sort out the term "reasonableness."
To the extent because this is Paul. To the extent that there-we have a strategic planning work group but to the extent that objective might be discussed on privacy and security, I know that I will want to bring those to you all for further discussion. In Pat, what we are doing should inform what they are doing. I think there are others that serve on both, this policy and security worker, in my view, should have an opportunity to shape what goes into that work planned.
Absolutely.
Deven: To get the discussion. Thank you, very much. We will move right back onto the next agenda item. Let me take a step back a minutes and set a framework here. One of the things that we discussed in our last call was a tentative work plan for get moving our work going forward. Rachel and I are still tinkering with that a little bit but actually think that's it in the interim was the release of the meaningful use proposed rule by the Center for Medicare and Medicaid services and the release of the interim final rule on certification criteria, but of which have sections on privacy and security that, I think, are definitely worth discussing and, actually, raise issues that we had tentatively brought up to be on our work plan for The first quarter of our time to gather. That includes how to operational lies some of the new accounting for disclosure provision of provisional IRA and the provisions that were in ARRA and also security practices and policies. I thought it would make sense, given that these rules have a, period of 60 days, which is rather generous, but we have no slightly shorter time period that if we want to keep up to the policy committee some recommendations that we would seek their endorsement on before forwarding them to reap ONC and CMS, in my view it is a more powerful set of comments then what was put forth in both of these roles. So, with that, what we sent you in the agenda were links to what is called the pre publication version. What that means is it is the version before it is officially put in the Federal Register, but still available from a public source. I notice that the links were not working for need to well over the weekend, so I sent you the hard copy documents. I took the liberty to highlight for you, because they are really big roles, some of the areas where the privacy and security provisions are discussed in some more details because of the page numbers will not work for get you any more, once the official rule appears in the Federal Register, because the page numbering is a little bit different. Nevertheless, it should do for as for a if you days, and I will ask my Policy Council she will find the page numbers in the new rules when they are published. The bottom line is if we are going to seek to put before the policy committee some recommended-some specific concerns that we have addressed in these rules before they are "finalized "now, we should do that and be ready to do that before the February policy committee meeting and we do have at least one or two more cause schedule before that. There is time in which to get that done. I want to at least began discussing and start collecting issues and concerns on this call, today, with the hope of putting before you some strawman, strawdog proposals for our next call. Specifically on meaningful use, what you have there it is-I am really focusing on what providers and eligible professionals, which are the individual providers and what hospitals have to demonstrate in ordered to be eligible for federal funding under ARRA and the measure is broadly-their objectives, but the measure is in my view where the rubber hits the road, what they will have to demonstrate it because that is that they have to conduct or review a security risk analysis per the security role, and implement security updates as necessary. I presume that this is reported through [ indiscernible ], which is how most of the meaningful use measures are reported to CMS. The certification criteria, which on a broad level of those criteria that have the technical functionality that has to be it in the Electronic health record Technology in order to support achievement of the meaningful use objectives and, to meet the Pope seems to be more on some security measures there, including encryption, and the corruption, decrytpion, mechanisms to make sure the information has not been altered in transit, authentication and an ability to record certain information on disclosures for treatment, payment and Operations. This is related to the changes in the accounting of disclosure requirements that were part of the stimulus legislation. For those of you that do not know, currently people have an ability to get an accounting of disclosures from their medical record, but the treatment as any disclosures for treatment, payment for healthcare operations as defined in HIPAA, did not have to be included. In ARRA, Congress took that exemption away and said to ONC, you have to develop a technical standard to facilitate the reporting of these disclosures and, consequently, the Office of Civil Rights needs to come up with a regulation that specifies in more detail how that will get operationalized. I will stop there and open this up for comment. We have some no takers here I want to have a Rich discussion about issues, concerns. Is it sufficient? Is it not sufficient? Is there enough of a connection? What is missing? Are we happy? Again, we will come up with notes and structured a discussion that might lead to recommendations on our next call. Rachel, I have been talking for a while. Is there anything I missed?
No.
John Blair: Is it too simplistic to say in beepers peas, initially, for the providers and in the second it is a system capability, technical system capability?
That is exactly right not comment on.
They are declared in the certification criteria that they are two separate rules, the certification criteria, and interim final rule is only about the functionality that has to be in the system. It is not about whether you use it at all.
In the document that came out last week and the second piece on the system capability, my read is that if you have a certified system, that will take care of it. They point out that by having a certified system, it does not take care of your HIPAA requirements but this piece on the security.
And Dixie: This comes up time and time again in work on the standards committee of. ARRA requires them to things to get reimbursement. That one is that an eligible professional or hospital has to acquire certified Technologies. That is what the standards document specifies the requirements for data getting that technology certified. A vendor would be most interested in those standards. Of the second thing required is that they demonstrate that they are using that technology and that technology meaningfully it. That is what the technology measure should apply to. That is what the individual organization should the attention to. Standards are for of vendors or those developing systems and meaningful use criteria is for the users. The point that I often point out is that there are, it just because a capability, and technical capability, it is in the technology, it does not mean that it must be used or how it must be used or anything like that. For this group, we should be paying attention to the intersection of the technology, given that they have record contract acquired a certified system, what do they need to do to that certified System, with that certified System, to use it meaningfully?
Practically speaking, how will you test for?
We will not. Deven blessing to us by attestation.
Paul: The summer you gave about certification, Dixie, was very good. I am one of the co-chairs of the certification group. The concept is the are technical capability is. The issue about how you tell whether or not someone is using them is a very good question. It is two questions in front of us. What should be in the section on meaningful years, privacy and security? What is written your dad, it is it adequate? A separate question is if the certification for privacy and security, is the criteria adequate? These are two very different things. The certification work group, basically said that the certification criteria for privacy and security should be robust and allow for get any purchaser of the systems to be able to fully complied with the law, the lobbying HIPAA, the lobbying any other law or regulations that might apply to the privacy and security. By saying it should allow the user to do that is as tough and I said, does not mean that the user will do it. This is just a technical capability.
Paul: On the user side, the meaningful use side, the criteria that CMS proposed is that the organization do a security risk assessment and act upon that. That is the test on the user side. It would be very interesting from the policy committee to have as workgroup's feedback or comment on that NPRM for the privacy and security section. As Deven pointed out, we will provide something back to CMS, indirectly. It goes to ONC because we are an advisory to ONC. The comments on the rule that you have two opportunities to advise future recommendations. One is to the comments on the NPRM, or the IFR, and the other is to and strategic objectives to ONC through our workgroup.
What bothers me about this, this is just coming context bang-theoretically, I believe-this is Dixie. Periodically, what they say in be meaningful use should be adequate. You do a risk assessment and identify with your own abilities and risks are and use the technical capabilities that are in or technology to counter those risks. What we know from the Security hearing we had for the standards committee is that 48% of the people who responded in the 2009 survey, which were mostly large hospitals, 48% do not do an annual risk assessment. So, up and sell that testimony, I for one bought most people were doing a risk assessment and would look this and say that that sounds pretty reasonable. The fact is they are not doing the risk assessment to begin with, which makes me question their capability or motivation to really even to this measure that is in be meaningful use.
Paul: That is a good comment, Dixie. One question I have is, do people know what a risk assessment is? Should there be a greater definition of what risk assessment as?
John Huston: I agree with Dixie. There are wide variations to compliance with things like HIPAA and ARRA and institutional maturity around the whole idea of risk assessments and compliance, for that matter. It would shock people to know how not complain Institution scholar.
Isn't this an opportunity to affect that?
Yeah. What verification do we have the ones they do a risk assessment, if they know what is, what measures have been put in place to rectify that? Do we have a way, other than attestation to know that measures have been put in Place?
Rachel: That is not very fair comment, if you take this out of context. I would point out that the entire stage one, and please correct me, Deven or Paul Tang, if I am wrong, is based on attestation.
Peter: That is correct, Rachel. I was talking and was on the back and could not understand why my voice was not coming through.
[ LAUGHING ].
Peter I should have the problem more often.
[ OVERLAPPING SPEAKERS ].
I could not see. Once they go past and the pass meaningful use we would have the right to expect other information about what vulnerabilities were expos in a risk assessment and what remediation tasks were taken. Right now you have to do is not test. As Rachel said that is the schema for meaningful use. We want to make sure it is doable by most providers and can be implemented by CMS. Going into state two, my hope is this work group will come up with, just as other workers are coming up with, more robust measures for stage two M3 and make sense to show that people are not as clicking a box and signing a form and not knowing what they are doing.
Are we assuming blind attestation?
No.
The attestation becomes real?
Of course it is.
It is under penalties. If you all caught--
That would change your 48%.
I think the distinction does this is John?
Yeah.
The distinction is that-I will speak to providers, I am more comfortable with making of blanket statement like that because I am one, and a provider might click a attestation that they did something with an allergy last and most providers know what that means. I think most hospitals know what a Security assessment is. Most providers would need help providing what a Security assessment is because they might let it begin to have done one by checking their server is la in a Room and think that is the security assessment. I would say that, yes, attestations are taken seriously, but his true that there might be a certain level of providers that do not fully understand what doing a Security assessment is the map that is my big concern. I am not as worried about patch fraudulent attestation--
I am not as worried about that if they truly audit does and not as worried about the larger institutions to invest that did not do it before or you have the 48%. My concern is, as you point out Peter, the small practices, that the really even understand what this is. To me that is the biggest lift.
Paul Tang: Maybe I can a format for are you can package of your recommendations going forward. The three opportunities: One is the comments of the NPRM. But CMS through ONC would really appreciate it if you have a comments on the proposed rule, what is your alternative? What is the rationale behind the comment, and what is your proposed alternative and the rationale? If we are saying that attestation is not good enough, what is the alternative? What is the rationale? There was another opportunity mentioned that in 2011 this proposal, maybe in 2013, 2015, it might look difference because we are looking for get your guidance on what you would propose for 2013 and 2015. The Strategic Plan for updating ONC, what was most recently mentioned was that we need to educate, particularly the smaller practices without the large number of FTEs or support, what does it mean to conduct a security risk assessment? Is that something that the regional extension centers can help with? These are examples of concrete ways that this group can for a recommendation of to the policy committee.
John: Can I suggest that one other thing? There is an interesting dilemma here. Under ARRA there will be increased audits that will occur. I think it would be-the question is what would happen if someone attests to having adequate security team that plays and going through the risk assessments and the like and some incoming in and doing an audit and finding out that they did not comply and the Organization of having already received additional funds through this, through the meaningful use-I guess the question is, how is the payment of those fund-are they going to be asked to give back funds?
One of Deven's brainchilds is the proposal she made to the meaningful use workgroup on how to enforce this. She came up with the proposal that your meaningful use incentives would be held back if you were found not to be in compliance with, for example, the date will security rules because that was taken out in this NPRM. It would be interesting to know from this group, as a Group delving into this particular category, what your thoughts are, what your comments are about that change.
Peter: I think it is two separate questions, unless I am misinterpreting what you said, Paul. The current rule even for attestation is all or no. Providers and hospitals need to attest that they are compliant under every attestation under ARRA to get the money and if they are not compliant with security or privacy rest, the meaningful use incentive is withheld. I thought the other person on the phone, I forgot your name, was asking what happens retrospectively if an audit was done and you attested to everything, so you got your payment and paid them by audit you have not done something, which can be separated into, was it willful, balls used and you said yes and did not do it, or you attested to get, but it was not adequate. Those are different, and my interpretation based on how Medicare, rather CMS deals with other payments that are found out later by audit to be inappropriate is they ask or get the money back, sometimes with penalty. That would be my expectation for a false attestation, determined to be false, respectively, by audit. I would hope that would not, necessarily, be done with a attestation done in good faith and was done because of ignorance. However, based on how CMS deals with other payments, ignorance of a requirement is not an excuse for not having done it correctly.
The other thing to keep in mind is that meaningful use and whether your attestation for any of the criteria are accurate and not false, that would be up to CMS to determine. They oversee the meaningful use program and the payments. However, the increased responsibility on the Office of Civil Rights to audit is with respect to the HIPAA privacy and security rules. On the one hand, if a OCR audit and uncovers any security rule violation, unless there is a connection to the meaningful use payment, that does not exist today, their debt would not be any impact. What Paul was explaining was something I have suggested that if you are an entity that is under formal investigation for a HIPAA motivation, you should not be getting payments, even though they are coming from CMS under the theory that this all out of the federal Treasury in one bucket or another, until that gets resolved.
Paul: It is an interesting discussion but seems to me that the topic on the agenda that we need to discuss is is what is written here in meaningful use and NPRM with attestation about the security audit, is that adequate? Do we have any comment about that? That is our number one issues. The other issues are important and interesting, but this is the number one issues. Isreasonable?
Kathleen: On that note, I was wanting to know if Dixie thought that having providers purchase certified EHR technology that meet the security standards stated in the interim final rule would give them a leg up on what they should be looking not from a risk assessment point of veal and, possibly, move them closer to being able to do a reasonable job on that? Can.
Dixie: Obviously, it will provide them more technical-each got one of these products will the security capabilities like authentication and access control and auditing, etc., as required by HIPAA, but comes back to-I think it was Paul the confirmed that people are not doing the risk assessment to begin what. I suspect most of them today have the capability, the technical capabilities to implement security functionality that is needed, but are not doing it. I think that is the big issue. I think we might be able to do if we could reach out [ indiscernible ]. Additional press risks of having a EHR introduced into an enterprise that they did not have before.
Paul: Can I ask you more questions on the existing security requirement to get a risk assessment done, Dixie? Is that conducted internally or do you have to hire an outside entities to do that assessment? Is the rule specific on that? Is there any guidance on what an appropriate risk assessment would look like that might be out there the providers might not be aware of it?
Dixie: The rule, itself, does not say it has to be external. It is an internal risk assessment and you have to do it manually. You can go up Google security risk assessment and the debt is plenty of information out there. They are just not doing.
That is right. Getting to the question that people brought up earlier is something that I want to try to get more information on and try to shape into a recommendation. Guidance for these providers and, mainly the small ones that are not doing it because they have no clue--
Judy: I am wondering, and I do not know if this helps you because you might have to do things in a certain order, but I am wondering if we are putting the cart before the horse. Testing for privacy and security depends on what we decide we have to do it electronically. It could be anything to opt in or out to check that to a whole complex list of things that might take several thousand hours. Until we know what it is we are testing for, it is hard for as to say that because you're enterprises and large organizations can deal with a thousand hours or several thousand, but the small ones, of course, would struggle.
[ OVERLAPPING SPEAKERS ].
We would not ask people to do risk assessments for policies that are yet to be developed. What they are being asked to do is not security risk Analysis for per existing law. They do not need to speculate about what we might decide in the future. If there are for their policy developments, ideally, author of recommendation that it promulgated, that changes the dynamic.
That is what I am saying this because we have to keep that in might. The two things work together is because of the complexity of what we do later on will affect the testing.
Paul Tang: In the question about the security r ole, team the preamble to the rule, they did explain how, depending on the complexity, it can be a big thing for in smaller settings does it can either be done by your own staff or external parties.
Right.
What was not available when the HIPAA Security came out where these [ indiscernible ], for example. Since they target the smaller practices, maybe they do come up, get one of their central, national tests is to come up with guidance about security audits. That could be very useful for that small practices and can even label it as the target margent patch [ OVERLAPPING SPEAKERS ].
I understand.
The 48% on all large hospitals.
Dixie, I was not commenting on what people do or choose not to do, it was more the resources to have a Security audit Plan in Place. These smaller practices do not have that, uniformly. There is a separate issue of whether people have an audit that is another dimension.
In the small practices, it is probably 95 plus%.
Gail: I would also like to comment on the smaller practices that are limited to the primary Care. There our a lot of small practices out there that we want to be a part and have a EHR. You need to make sure that there is a it wait to educate all practices, not just the primary care practices.
I think the RAC was just an example of mechanisms to do this. I think it will have to be a part of routine implementation across the board.
What RAC can do for primary practices is create a work bug or handout that can be utilized by other practices.
All of these.
I would wager that 95 to 100% of practices under 50 doctors do not do--
Of course not. They certainly would if they knew what to do. If I can invoke the word "reasonableness "Mack, if it was relatively simple or they could designate their office manager to do, they would welcome that as part of their annual workflow.
That was that one of the points on Paul's comments on the three pieces, the attestation, 2013 and Education.
Thankfully there is not made vehicle for. It is not a perfect vehicle given that it does not cover everyone, but not better start than what we might have if we did not have that piece available. What about the connection to the certification criteria? Someone started to raise the point earlier in our conversation. We had the new technical functionalities that the electronic health record technology now has to have in ordered to be certified but is not-those are not connected in any meaningful way, forgive the FTE police security risk assessment, not in an obvious way. Was struck me with the standards in my limited experience - - no requirement to use any of this.
That is the meaningful use requirement. There should not be patch I am not suggesting, Dixie, that you put the requirement in the certification piece. What I what like to discuss it is if there is some room for some requirements to use these technical functionality is either as part of meaningful use or something we would recommend to OCR to updating the recommendations or guidance under the security rules patch [ OVERLAPPING SPEAKERS ].
I would strongly concur with you on that, Deven, that there should be more specific measures of using those securities standards and would note that access controls do not appear on those lists that appears to be a huge gap.
Can you tie that in would hurt you clarify the risk assessment?
That was the intent. But the question is whether we want to add-and it is a valid one, whether we want to recommend additional specificity to the meaningful use of Employment Security updates as necessary. Do we want to provide some specifics? For example, here is a good example. The criteria standards require that they be able to speak. Do we want to say of the meaningful use if you'd start a PHI on a mobile device or the U.S. The or cell phone or whatever, that the dates that must be encrypted versus data that is on a server in a data center of that is not subject to as much risk of inadvertent disclosure as something that is on a mobile device?
Paul Eggerman: Your comment, Dixie, is a very good comment and I want to get back to the two issues that Deven braze which is the disconnect between the certification criteria and meaningful use-what you are saying, Dixie, as the requirements to use this stuff. On the first one, on the disconnect, I did not see that as a problem. You see the IFR for privacy and security should be more robust than what you have for meaningful use because you cannot test for everything and will not require meaningful use measures on everything. I think it is okay that there is some level of disconnect. The issue of the required use, which I think you are referring to, Dixie, is an interesting issue. What I did not understand and the whole long description with encryption that came first, this is what we would like you to do, but you do not have to do it. Of would like to turn that around and say that this is the minimal requirements. You have to do this or something better within the certification process. That would be good. You did not, necessarily, have to connect everything you do in the certification process back to some meaningful use test.
If you call that out in the risk assessment and have the minimum thresholds, does that do that?
I think that is an interesting question is because this is Deven. It is not entirely clear to me what implementing security updates means. Does that mean having the functionality is present in the technology you are using or extend to using it? It feels like the dots are not fully connected.
If you clarify it, does that get what you need?
I am also asking them bigger question that goes to Dixie's point but not thinking about it in the specifics she raised. I think there is only so far you can go with the meaningful use and criteria you are setting because hospitals and doctor plans and other eligible providers have to meet every single criteria to be paid their meaningful use. If you load too much up into the bucket, and this goes to what Paul Eggerman was just saying, we will be in trouble. That is not, necessarily, the only policy vehicle we have for strengthening security. We could also make recommendations about the security rules. That is not within the policy committee purview, per say. That makes an important statement about how merely having the technical functionality that does not get you to a more secure detent environment.
If you have the technical capability and attestation through the risk assessment that calls out certain things, specifically, as minimum requirements, that starts to get you there and the 2013, you can move to testing.
Gail: My point is that security and privacy are absolutely the foundation of getting the public to buy into the whole concept. If you want to call things out and want to really put meaningful use requirements in, this is the one area that you need to do it, very specifically. We need to have a stronger meaningfully as component in privacy and security than anywhere else. Yes, it does put a burden on providers and hospitals, but this is the one area where it is required to do it, even beyond attestation.
Paul Eggerman: Those are good comments, Gail. In my observation is that you can do some of these on the certification site. If, for example, you say that all electronic health records have to be certified that they encrypt all of the data that is stored at rest, it is very hard for a small group to buy a certified record and run around that. There is no reason to do that if you put it right into the certification criteria. That is the place where you can put the specificity about what you are looking the, Gail. The thing that gets hard is privacy. It is not a technical issue, it is all about policy. You can do everything you want about security and encryption and all kind of fancy words, but if people do not have the right Policies in place, they put their passwords out on the computer to see what the password is, their dad is not much we can do about that. It is not a technical issue or even meaningful use issue.
They never had a attestation audit in remediation before.
The audit--
There has been an audit.
There our medicare audits.
Different audits, Gail.
Dixie: Deven, your comments about recommending changes to the security rule, itself, if that were truly an option for us, I would think that is the way you would want to go. What you would want to do that's actually, our committee talked-out or work group, on the standards committee talked about this, we know in the security rule there our a number of required standards-and they call them the standards, require provisions and are even more that can be addressed, it means that they get an option whether to implement them or not. That was written the late 1990s, right? Has organizations are implementing EHRs, is this a the time to go back to those that can be addressed and make some of them requirements?
That is, essentially, what I was hinting at. The policy committee that we report it is not an official advisory body of the Office of Civil Rights, which now has oversight over both the HIPAA privacy and security role. Having said that, we reached out to Sue who is the deputy director of the Office of Civil Rights just to see if she was interested in hearing from us on recommendations for implementation of the accounting for disclosure requirement is because she said, sure, yes. We have limited ability to cry foul if any recommendations we would send up on the security role were not adopted, because we are not an official recommendation body for them, but the doorway has been opened and we would be really confined with what we can do as a work group of some recommendations with respect to the basic set of rules that cover this data at a federal lover were off the table.
Paul Eggerman: Those are good comments, Deven. Question I have, we are supposed to see if we will make no comment about the NPRM. What is written in the deficit is okay, but we are not that excited by it because of other issues, so we need to go further. We think what is written in the NPRM is okay.
We have some suggestions of what we would do-it more on the education side and making some comments with respect to state two, which we assume is about 2013. I do not think we are, unnecessarily, silent on that. You are right, if we are going to go to making recommendations on the security role, we are not confined by the time frame of comment on the rule that excess.
The question is for stage one, what is written in this NPRM, you have to [ indiscernible ] whether you have done a Security audit, are we happy with that? To do we want to recommend any changes to what is written there?
Dave: We have talked about security pretty thoroughly but have not talked about privacy. The second goal is that also requires a measure.
Back to the earlier comments, how do you measure privacy?
There are issues around transparency of data sharing that could be attested to.
The but to it is it is easy when you are checking of things. This has hundreds of thousands of providers. I am worried that it cannot be reasonably measured.
Kathleen: Are there some federal laws that many providers are supposed to be able to support for privacy that we can tests for example, whether a provider can support a 42 CFR directive?
Are you talking about underpart two? That is limited set of providers that are subject to that.
Right. Are there other ones we can use?
You can point to HIPAA. That is where the whole question of audits, and in. What happens if someone attests to it and CMS comes in and audits them and says they did not comply.
Another example I am thinking of is in HIPAA you have to be able to support authorization to disclose to the Social Security Administration, I believe the. Is that correct, Deven?
There our a whole set of authorizations required, certain data users require a certain authorization and under certain state laws that already require consent to disclose certain types of information-if we did not do another thing on that issue, there is already law.
The question is outside of a complaint, how is that being chat pod?
That is the only way it is being tapped.
Okay.
Deven, the comment that I do not know who it was, about transparency.
That was Dave.
Hi comment Dave. Does the outcome priority of aiding the patients, does that come within our review?
Well, it does not, per se. What was your comment, Dixie?
Dixie: They have some specific measurements, percentages. I thought that was what he was addressing.
Deven: This is different, Dixie. If you look a particular set of goals in the meaningful use rule. This came from the matrix appear until an approved by the policy committee, what are the care goals that should be achieved? The second is to provide transparency of the data sharing to the device because that is different than p roviding patients with copies of their data set.
Dixie: He is saying that they have no measures addressing that and not all?
And the: Not only is there no measure but no objective.
Dixie: Oh.
Travel: In stage one. What you do have, of course, is a requirement to provide them notice of privacy practice under HIPAA. I think the main lot of people are less than satisfied with that on both sides of the fence and find it not to be terribly useful. That is what we have as of today.
Sarah: What did the committee recommend for this committee?
We have some things to say-what I have said is based on the comments that this is not our first bite of this apple and I would put together some strawperson, more recommendations so people can review them before our next call and finalize them. They were in the area of finding more mechanism, whether to the regional expansion setters of the centers or otherwise to provide better education about to do an appropriate risk assessment.
No, I meant-didn't the first policy committee provide recommendations for meaningful use?
I still do not understand the question.
I thought there were measures that were initially made by the policy group in August, or whenever that was on specific meaningful use measures and one for privacy. I do not remember what it was. I could be completely wrong.
I am getting it out.
Kathleen: In the NPRM, on that one of the tables of the meaningful use measures, it is the capability to exchange key clinical information and is for the eligible providers and hospitals and the description is to store, send and receive key clinical information, the information transmitted to the providers and patient-authorized entities. I wonder if [ indiscernible ] looking at support for privacy.
What are you looking that, again?
One of the tables and in the CMS NPRM. I can send this. I have it taken out of the actual document. It talks about having demonstrated ability to store, send and receive information and says transmitting it to be providers and patient-authorized entities and seems to call for the ability to use the patient authorization to decide how information would be transmitted.
That it's to the consent question that has longer and the larger ramifications. We are not going there yet. That is not necessarily a hook for the issues we have not fully gone through.
I do not think his consent. I thought it was the HIPAA authorization forms. It is in the list of meaningful use measures.
I think you are cherry picking something out of that has to do with--
[ OVERLAPPING SPEAKERS ].
I am not sure that we need it.
I was looking for get something-was there anything in be meaningful use measures that related to the privacy? Of was wanting to highlight that particular one. I do not feel like I am cherry picking.
I think Sarah's question was related to the privacy and security category of the use the matrix and sounds like you are quoting from is from another category.
This is out of the role and Sarah was talking about what was in the matrix. In 2015 there was segmentation and others for other periods.
I say nothing for the first year.
I think the first year and was just HIPAA privacy.
And the risk assessment. As we discussed earlier, the compliance with the privacy and security piece is full compliance with the rules, that was the piece that did not get picked up by CMS, but they did pick up the one measure for 2011 that was adopted by the policy committee was conducting or updating the security risk assessment.
Okay.
Coming back to that issue, I think Kathleen's point is taken. One of the ways of providing transparency to the patient is through a consent and authorization process and is something that one can attest to, not the only way, but certainly the starting point for stage one. That is one of the ways you can get that issue.
Can you explain more what you mean by that?
I think the concern that the terrible is speaking it is that patient's information should not be disclosed without their knowledge and consent.
It is not, Dave. Is Paul Tang still on the line?
I am.
This is the question we are talking about is the care goal identified in the meaningful use matrix in the privacy and security area, specifically of providing transparency of data sharing to the patient which was an established their goal. The only objective is that were established where compliance with the rules of HIPAA and the fare data sharing practices in the nationwide remark that we discussed earlier in the call with measures being limited to the full compliance and conducting or updating them security risk assessment. I do not think we intended that the transparency provision to mean consent, per se. We recognize that was a bigger issue that would need further discussion to resolve.
I think you are right, Deven. That was a little bit like what we now call principles. One is for the patient to understand how their data was used and disclosed. That then translates to the principles that this group is talking about in terms of the previous remark and goes into-right now, HIPAA privacy and security-another thing for this group to think about is EHRs, in the sense, in addition to what we have done with EHRs, we have the whole category of engage the patients and family. What is going on is we are giving access to and use of their data with the electronic tools and applications. That automatically says there is a notion of a PHR going on and would imply that the policy and security were group, this workgroup, might have something to say about Us and protection of information as it is disclosed to PHRs. That is something that we are already open up with meaningful use. Here is the thing with consent. We will absolutely take this issue on. It has a lot of very complicated components to it from what is capable with respect to the vendor the standpoint to the policy we have in place today and what we should be pursuing in the future. I promise you we will do that and the only reason we are not starting with that is because there is some architecture of HIN issues currently being discussed upon which recommendations are being formulated by the [ indiscernible ] workgroup and we decided we would hold off on beginning those conversations until we had more direction on what this network is going to look like. We will bet there. It does not do justice to the issue all, I think, to shoehorn into this space when we have not, necessarily, and conversation about it. I am trying to think of what, if anything-we should think about what to do about this data sharing transparency issue, which is another important issue and include when an individual has the right not to consent, and when they do not, I think to try to take it on in a bigger way as part of this discussion to inform comments on meaningful use, we would never get it done in time.
Kathleen: I am wondering-it sounds as if the architecture of batch is setting parameters for what this committee can discuss.
It helps to shape-a consent discussion is better informed if we no consent to what. What are restocking about? It is has brought with data sharing and any capacity. On the other hand, certainly the way it has been shaping up, nationally, over the past couple of years, it has been enhanced with respect network participation. We were told that the NHIN work group would have concrete things to say early in is year and made sense to not, necessarily begin those discussions until we had further information from them. I need to do a double check on where they are headed. I am not sure they are as far as we thought they were going to get and do not want to put this conversation of for much longer, because it will take us time.
Paul Eggerman: I agree with what you just said, 11. We need to know the men lot about where NHIN is going as we define privacy policy. Otherwise, it is like the card before the horse. I am also looking that the time clocks. I know we have to start the public comment section in a couple of minuteses and vote and and most of this discussion has been under and then on the deficit on the meaningfully aside and elm wondering-we have done very little discussion on the IFR piece and probably we do not have time to discuss that. We need to Mark that for some additional discussion for a future meetings.
Absolutely, Paul. I agree with you and invite people to-I actually started to hear Kathleen raise some concerns about something she thought was missing. If other people, between now and our next call, which is in a couple of weeks, if they have things to put on the table, and to meet early. It will help Rachel and I structured the agenda so we make sure that we get all of these points discussed. It will always be a challenged with the number of people we have in the group to moving this forward. That cert piece is a powerful public policy tool that we have. The question is, is it being used correctly for as privacy and security piece that we all agree is critically important? That is an important issue to put some attention to.
Was Captain's comment about access?
Yes.
Send me it something, Kathleen, since we are talking about your point that we did not get to raise.
Rachel: I have been listening carefully. Maybe someone already made this comment or conclusion. I wondered in terms of dealing with the more narrow question of the transparency, if part of what we are doing is try to crosswalk the certification criteria to meaningful use, since the certification criteria it does address the auditing of disclosures, I wonder if there should not be, perhaps, a recommendation from our group, if there that was consensus on a meaningful use measure relative to the certification criteria?
That is what I was going to say it. We have been pointing out how it be provided transparency has no objectives or measures. That is really where the hook is. Accounting for disclosure is not mention in the NPRM, just mentioned in the IFR. This is where it really relates.
I do not want to keep harping on it, but that gets into the thing that I said about risk assessment. If you start to include those things as minimum requirements for everyone, doesn't that gets at?
Yes. We have to go through the list of what we think he elements are and I am not sure-Is that one thing to have a security risk assessments and act on it, whatever that means, but I am not sure if I would assume that that security risk assessment would assess the patient's access to the audit log back for disclosure.
If you look out the NPRM now, page 64, you see it has these two [ indiscernible ] and only has that one objective that says addresses both of these. I would argue that protecting electronic health information through the implementation of appropriate technical capabilities does not, necessarily, include the accounting for disclosures.
Also has different time frames for implementation that we will have to think about in terms of crafting something.
Right. We should consider recommending that we had accounting for debt disclosure as an objective.
That is a duplication of the extension to HIPAA that ARRA added. No longer is [ indiscernible ] exempted from the accounting for disclosure. It is already done. May be the language can be strengthened to say it is not just the date of security piece but also the privacy Rules.
Yes.
Which has been modified by ARRA.
Looking what is in the NPRM, it does not mention HIPAA patch all, protect electronic health information, created and maintained through the implementation of appropriate technical capabilities. Accounting for disclosure is more than technical capability.
I think, if I remember correctly in the preamble piece it talked about one of the reasons they took HIPAA out is that it already exists and people are expected to be compliant with it. That is what I am saying. You are right now, maybe not suggestion is to tie HIPAA as part of meaningful use. It goes back to Paul's o point, you need to be him compliance with HIPAA, privacy and security.
A Cross reference.
Adding another but duplicative requirements.
We said we would not want to duplicate it. We are eating into our public comments period. Rachel and I will definitely talk about this more and try to bring things more specific for your consideration for the next call and spend more time talking about the security standards that are in the certification criteria. Send in any comments that you could not squeeze into this limited amount of time on the call today.
When is the next call?
January 22nd, the clock read 12:00.
Thank you.
Let's bring the public in.
Can you do that, Allison, and if you have any final remarks well she opens that up?
To
--It is hard to separate these issues out from the others that we can tackle in this time period. Again, we will continue to do it the best we can. I cannot emphasize enough that this issue of consent, it is on lot of people's mines, we will deal with it and in a very comprehensive way.
Great. , parade and an operator, are there any public on the line for comments?
No, nobody is on the line.
Okay.
We will give people a couple of more minutes.
The next meeting is from 10:00 to 12:00.
With the prioritization of timing, it goes without saying, but I will say it while we are waiting, it is that some sort of a summary of potential issues or clarifications on the two rules would be the most important thing for get us to tackle our next discussion.
Yeah.
So, if members of the committee have specific suggestions about some of the things they commented on during the course of the call or other issues, get those to us before the next meeting. That would be the most timely way to ensure that those will be addressed.
As soon as possible. We will have to start putting an agenda together.
It is very two weeks.
Just to reinforce what Deven said about the timeline, the policy committee is expected to give the deliberation on the comments on the NPRM by the next February meeting--
February 17th. We will be submitting to ONC, their comments by March first. That is to keep with CMS's timeline. The digested information from this work group needs to reach the meaningful use workgroup in time for it to make it presentation to the full committee by the February 17th date. It is not a lot of time.