The Privacy & Security Policy Workgroup met on January 22. 2010. The agenda and rough draft transcript of the meeting is below. I have gone through the transcript and it is fairly accurate so I am going to post it. I had hoped that we would start seeing meeting summaries and audio files from the meetings posted sooner, but that process is going to take some time to implement. It is not my intention to misquote anyone and please remember that this is a very rough draft transcript. I will provide a link to the audio of the meeting, official meeting summary and then transcript when then are available.
Rough Draft Transcript:
Welcome to the privacy and security policy work group. This meeting will close a few minutes before noon and there will be an opportunity to make comments. I will not turn it over to Deborah.
Thank you. Are you at the Philadelphia library?
I think before Paul speaks, it should happen.
We do have some things to get done today. Just an overview of the agenda, we are going to spend most of the time talking about what we might recommend to the policy committee with respect to some comments on the meaningful use and Standards certification criteria rolls and then, but I hope to do toward the end unless we are running out of time, although I may start this conversation even if we are not done with the recommendations because we do have one more call scheduled between now and the next policy committee meeting in mid February. This is not our last bite at the apple with respect to recommendations, but I wanted to get as far as the could. I hope to be able, since the issue patient preference, patient choice, sometimes referred to as consent is weighing heavily on all lot of people's minds. I want to start building a work plan for how we are going to tackle this and maybe get some feedback, not to discuss substance or talk about our recommendations, but more about what information do we think we will need to help us answer this question? Whether it is then the capacity or what is going on with respect to states and health information organizations, etc.. Again, I know it is a concern of a lot of people. We are pulling together a work plan for that and I would like to begin to start pulling some feedback from you during this call and then we will close with public comment.
Before we get started on that, I have a question on page two of the agenda, the second paragraph, clarify the language and the care coordination section of the committee's --
That is right. This is more a note to me a sense I get you so much annotation on the agenda, it ended up being kept in there. I can't remember Peter, if you were on our last call. There was some discussion what that land which meant and whether that was some opening we should try to use to put some recommendations to the policy committee with respect to patient consent and when it should be obtained. That was towards the end of the call and I wanted to make sure everyone was clear with respect to that piece of the matrix, the reason why that language is there, because it is a data sharing section of the meaningful use matrix the policy came up with and it was intended to refer to the sharing of data, not necessarily among providers, but with entities the patient authorizes. It deals with the new requirements and the stimulus legislation that when patients have a right to an electronic copy they can get sent to someone or other entity. Also I think it encompasses when a patient authorization is required by law and if the physician is sharing data, that is patient authorized. Since I helped develop that matrix it was not necessarily intended to mean anything broader than where current law is with respect to choices that patients have.
I just won a to look at this at a broader perspective, that my little read of your notes to self, you're not redefining what care coordination is.
I was going to make a point it could include sharing.
Now that you know my intent, do you feel better? My apologies for that. It was a source of discussion on the last call and I wanted to make sure everyone was clear about what was intended from the privacy and security aspects.
Back to page one of the agenda, the health IT policy committee is going to be submitting formal comments which are likely to come in the form of recommendations similar to what we had done with the meaningful use matrix to begin with. To both the National coordinators' as well as CMS and the Standards and Technology criteria, those comments will need to be finalized by the policy committee at its February 17 meeting to ensure a can be submitted within the comet period on those rules. Subsequently, the Policy Committee has passed each of its work groups to submit comments or recommendations for any of the rules that fall within our charge. Our goal is to come up with those comments or recommendations. To get a good chunk of that done on this call and to focus on the privacy and security aspects of those rules because that is our charge and again whenever we are not able to complete, we will pick up on our next call. We will also look at the articulation of us recommendations so that those people are comfortable that we have captured it appropriately in the language. Does everybody understand that?
Terrific. What I have proposed to do here is to start with the meaningful use proposed world which covers stage one of meaningful use criteria which will be 21122012 for providers and hospitals or early adopters and to what the final incentives in the early years. The sole objective in the meaningful use proposed rule on privacy and security is protecting health information to the implementation of appropriate technical capabilities and the measure for that is we started to discuss is conducting are reviewing a security risk analysis which is already required under the security role in implementing security update as necessary and the proof of that is at a station by the eligible provider or the hospital. What was rejected was a policy committee suggestion to make HIPAA compliance and express meaningful use objected and to team providers who are under formal investigation, not complaint, for a HIPAA violation to be ineligible for any financial incentives until that gets resolved. There was also no specific objective for a measure regarding increased transparency to patients and regarding uses of data, even though it was part of the matrix, but the committee matrix did not specify any details on this issue in terms of what would be a more clear objective in that regard and how physicians and hospitals demonstrate that. If you are complying with HIPAA you have to provide a notice about what HIPAA allows with respect to access news or disclosure of data. Of course, folks could disagree on whether that is transparent to folks in its current form. It is a requirement. In addition to these departures from the policy committee, there may be some other concerns to address and some of these came up on our last call. Lack of knowledge about how to do security assessments, what is meant by this requirement to implement updates as necessary and no clear connection of the meaningful use requirements or the requirement to implement security updates to the new security technology functionality requirements that are required to be in the technology purchased using financial incentives under the legislation. I keyed up a couple of ideas for discussion and divided them into two sessions. First, looking at the existing meaningful use used rule and what we want to improve that and the second topic is the extent there were criteria that were put on the table, but the policy committee that were rejected or are there some that are new we might propose. I had some suggestions written out there to guide our discussion today. I wanted to lay some things on the table for us to discuss so we could be a little more focused given the size of our group. I think we should start with what we might recommend with respect to existing meaningful use criteria and this is on the need to do a security assessment and initial fee. I suggested zero and C provide [Indiscernible]. Perhaps they should be a joint effort with expertise across the board. Someone actually mentioned to me that in fact HL7 is providing guidance on this which could be helpful and these materials could then be disseminated and shared with the usual places exist today and guidance on the security role that is on and CMS and the Office of rights website and it could be on the ONC site and regional program offices. I put specialty societies on their, but I don't know if that makes any sense. That I suggested we need to make more clear that the need to attest to the security assessment is for all years of participation in the meaningful use program since the security requirement to do the risk assessment is annual. Then the performance of the risk assessment as well as the implementation of update deemed to be necessary. I'm not suggesting the providers should have to disclose what these are although we can talk about that, but they should keep documentation in the event of an audit. Lange that out, I would like to open it up to discussion.
This is John Blair. Two things, one, how are going to deal with the different capabilities from a solo practitioner up to an ID and on this education and at the thought about the EHR vendors, that they will be dealing with the to these practices and having to deal with meaningful use, what about some type of obligation for them or part of what they are offering in terms of helping the practice is getting meaningful use, that is another potential avenue to get that information and help practices.
I have a couple of comments, the first being that if you really look - doing a security risk analysis to me is only part of the bigger picture. If you really wanted to try to identify an outcome, it is clearly attestation that to fully comply with the HIPAA rules to electronic systems. If you're looking for concrete measures in which to try to judge against, one of the things I have asked for it and I think it does make sense, since audits are suppose to be forthcoming with respect to HIPAA compliance, when there is an audit, there should be an audit program and audit programs typically spell out what the expectations are at in terms of not just the audit, but in terms of what is it is not acceptable. What would be helpful to me, I have asked for this on a number of locations, what is the government on a program if it comes in entities in compliance with HIPAA. If you could take the audit program and identify those components that relate to health IT, I think you could point to discrete measures that would be expectations. Again, I think that might be a way to address the measures component.
I think these are more in the form of questions just to help me understand this. The first is, under topics of discussion, I think it makes good sense to provide the education for people to better understand how to do the security assessments, but it is not clear to me what the relationship is between making a suggestion that there be Education and the implications of the MPRM itself. It is a nice thing to have, but I don't see how it responds to the concerns we have about specificity in the regulation itself. That is a question, not an assertion. The second is whether there are important applications for their failure to acknowledge that the requirement for a security risk analysis is already part of HIPAA.
They did acknowledge that.
So is there already?
What they did not do was to take the broader you must comply HIPAA as part of meaningful use suggestion that the policy committee put forward. Instead, they picked out the security risk assessment that has to be done under the HIPAA security role and acknowledge it was part of the row.
To clarify my question, if we know it exists, is there any legal reason to be overly concerned about not seeing some emphasis in the meaningful use stuff. Is this a serious concern would be to address or is it going to be handled because it is are recovered by HIPAA?
I guess I am confused. And speaking to the question of whether there should be a HIPAA compliance piece to the overall meaningful use role?
Can we hold a conversation on that? That is in the expressly rejected category. It is related of course to this discussion.
That is fine.
Requiring education is good but it does not increase the specificity of the role. I think a lot of us are worried what providers and particularly the non institutional providers are going to do with being reminded that they are supposed to do this under the secured a rule and now picking it part of it at the station of meaningful use and that ought to have readily available education materials, I think more ideally would tailor to the type of practice [Indiscernible] which gets to John's question. I don't think we are talking about one size fits all. There is a fair degree of flexibility. The idea is you are suppose to do the risk assessment commensurate, the type of system you have and with the risks might be. We are asking physicians to do this and not withstanding with what they may have been required to do for HIPAA. For many of them is the first time. It is very different reverses a paper record. Again, I think the audit program compliance, to the extent that is developed and disseminated, that could provide more hoax for specificity with respect to what needs to be implemented, but we don't have that that I know of. We are stuck with what we've got but that does not mean we cannot have our recommendation and that something like that could lead to an ability to be more precise about what is expected.
This is John again, being responsible for Information Security and privacy in a large health system, this is a bit I know other people in my position are also interested in and when there is a fear of an audit, it would like to know what you're going to be audited against. This serves none to ends. One provides some type of measure that people can look to, if I look at this audit program and I do this assessment, or analysis I should say, what am I going to get measured a pond and make sure those are lined? That helps from a meaningful use perspective but also people doing security also want to understand the rules and what am I going to get measured against generally. Forcing the on a program to be published I think serves not just the meaningful use aspect, but it allows people who want to comply with HIPAA and gives them the ability to do their own assessments in a manner that they would then feel comfortable with if the government walks in the door and wants to do an audit. You and I saw the survey were one of the questions was, do you feel you were complied with HIPAA and answer with stats and if they were comfortable if the government to come in and do it audit the answer is no. I think it would be a good way to approach this.
This is Peter, I would agree. One of the problems of working in health system and functioning in a clinical and Barnett, there is still massive confusion up among physicians about what HIPAA requires and what it doesn't. We are still seeing the aftermath of poor training and public awareness and as well as a consultant campaign, or the opinion of some, make HIPAA more erroneous and it was and I think this is an opportunity to come out on a more positive foot and what each setting of care needs to do, let's take it and be clear about it. I also look at each of the metrics for meaningful use as an opportunity not just to create a reasonable hurdle for providers to jump through to get their meaningful use benefits but also a potential barrier to people considering adopting health IT. We want this to be done in such a way that may even attract some people, that makes sense and now I know what I need to do to comply.
This is Rachel, I wanted to let you know I did join.
That is fine.
This is Paul, they have had be on for 20 minutes.
I agree with what everybody said about transparency and I think we also might benefit from articulated outcomes. Compliance with the regulations is not necessarily intended outcome, the intended outcome is that you are doing due diligence around breaches occur systems. To the extent we articulate the outcome and in the criteria against which those outcomes will be achieved, I think we help people. A question from my aunt is whether or not regulations is the best place for those criteria given the effort requires to make changes to regulations and we meet those criteria to be more flexibility and time sensitive than regulations might allow?
Here is the reality, I am wondering whether we would have to frame a desire for an audit program compliance guideline as something that is the responsibility of the regulators to do and quite frankly, it is not likely to be done in necessarily time for us to have more specific criteria. It is more phrased in terms that this is something that ought to happen in the coming years and would never educational material is available in 2011 ought to be disseminated and providers ought to understand to the best they can what they need to do to comply. Ideally, there ought to be more specific guidance that gets to what folks would be audited against by authorities so that expectations are more clear down the road. I don't see us bring this in terms we need to have this before we can do any of it because that is the possibility of timing and we don't have what might be ideal in this space.
This is Paul, in the discussion that audit, I think about a third-party intact. It would seem to me that we should be encouraging ONC and CMS to work with accreditation organizations to perform this function. A better response to self attestation in my opinion would be here is my security audit stamp. To me that is the way to do it. Or for a medical group to say that Deloitte performed an audit. I wonder if we could suggest changing the traneight team to do self attestation and as part of that you could say whether or not an auditing firm has repute this process and leave open the idea that that would be a better way to go forward in the future.
This is Peter, I agree with that, but I'm always concerned about the small practices.
I would concur because I am looking back to the debacle that was HIPAA implementation in small practices in terms of steel and loathing. This should be a part of medical practice. The notion that one would have to have security audits on an annual basis by a consulting firm may make this transition to electronic systems, it could make them an affordable.
I am not suggesting we do that in stage one. But what we could do to be responsive to comets is to sit this concept of accreditation or auditing would apply to hospitals or group practices.
I think the spirit of it should go to everybody, but I think we need to be careful how woodcraft this. [Overlapping Speakers]. The implement these and a trade practices and the need to be training on some of the security aspects of this. If they start to understand is and responsibility there, and certainly that is part of meaningful use, you do have another avenue. I think the spirit of what is said is right, but let's make sure we are careful about all concerned.
The editing to keep in mind that certainly and it to secure the world today, you haven't option of pulling an outside into the end.
A lot of large organizations [Indiscernible] if they had an audit plan and executing on it and doing is certification. I think it should be a preference rather than a requirement in terms of outside audit. Some people may decide [Indiscernible].
There are two parts to what I am saying. I am suggesting that MPRM should say it should be self attestation or indication that a third-party ornot it has reviewed this. It is an option. But also we should have some recommendations for process and as we move through stages two and three that ONC put some effort into these auditing forms and the accreditation organizations. In terms of the extension centers, the vehicle to move this forward.
This is Dave, the upstream issue is clarity and expectation that there is not wide variation in terms of what people are interpreting. That verification of what the expectations are and being something that can be pushed out with small practices is a preventive approach we should emphasize.
Does anybody else have any comments on ways to strengthen the existing world beyond what we talked about or does anybody have any objection to any at the other bullets that were under there. We will augment them based on the discussion we have had today.
We also have to talk about the security update.
Go right ahead.
That was also a part of what it said in the traneight team I thought was a week. I thought I knew what it meant. It was talking about update the various vendors have from time to time to plug security holes in their software. What did people think that meant [Overlapping Speakers]
That is not what I thought it meant that all, because it is meaningful use, not necessarily the technology certification. I thought it meant in the process of your audit, with a security gap, we don't have password protection for civil law Gaunt's for these computers, then you implement that, you basically fix the flaws that to uncover in your assessment.
The problem for those that work with technology, we tend to think about the term update differently.
I think that what Devin is saying is right.
That is fine. I think it needs clarification.
It never occurred to me that people might read that [Overlapping Speakers]
When I read it, I really did not know what that meant. You may be completely right. [Overlapping Speakers] I would like to clarify it but as part of the clarification I would like to do both, what you are saying and what I'm saying.
I think it is an assessment and acting upon the findings and also the updates. The thing I question if it is the updates as we are interpreting it here, how do you verify that?
How you verify anything on meaningful use? In the early stage is under attestation but under penalty if you're audited by CMS.
Have you do attestation updates? [Overlapping Speakers]
For software updates, there are ways to do this. For larger organizations, they could still be part of the accreditation OR audit process. Large organizations are audited and the creditation organization can check on that and start small organizations [Indiscernible]. There are software solutions that will automatically do secured updates for you.
What I'm saying is how the someone verify that? Thousands of offices and hundreds of different software verify that everyone is doing that across the country?
They don't and can't and that is true for a lot of the meaningful use criteria. You are reporting that what you are suppose to be doing to CMS in the same way that you test that you provided the service you are billing Medicare for and part of what keeps people honest other than generally that a lot of people are honest is this notion that you could be audited and there are consequences [Overlapping Speakers]
A lot of this is addressed in the certification role.
Getting back to this security update issue. I guess I am suggesting and recommendations should include clarification and have the thing that Devon said but security updates should include security updates from vendors and be very specific that at least need to be applied within at least 90 days.
What it is not free?
The and the thing is, I don't think you can apply - it depends on the organization. If you are an organization with 12 hospitals and the secured update is in the next release, it is embedded in code that it will take months of preparation and testing and alerting people and training. You cannot say in 90 days it will be in.
That applies to everybody.
I think we would have to be careful about how that was aborted. I am not sure I would agree that a hard requirement [Indiscernible]. We have got some security criteria that have to be in the systems to be certified. If there is a security update offered by the vendor and in particular if it is not free, but it has functionality the provider perceives to make it more difficult to get the work done, I'm not sure it makes sense that we acquire automatically it be adopted.
There are situations fairly often where you might have three or four pieces of software that you're using together and because one does not support a particular technology, you can't implement an update to the other ones. There is a technology were one application supports only one version of Windows. Therefore you cannot upgrade the other ones until that piece of software will support a new version of Windows because then they will not all work together.
I am aware of these issues and since we are going to have another meeting, if we could start to draft some language around this issue, I also want to make an observation. This aspect of the security environment is about to change because we are talking about this new world where there is more patient access to these records and try to get to portals that institutions will be developing in trying to talk more about enter upper ability about sending in receiving date debt and as the systems become more open, the exact issue that was talked about in terms of how windows worked, [Indiscernible]
Would it make sense as part of the provider education that they be educated on making sure their contracts had appropriate upgrades as needed by the vendors and written into the contract.
This is Peter, just to clarify that. Typically people who have ongoing subscriptions with vendors include upgrade. The issue is less of a cost upgrade. The upgrade the potential might be and of the base product and has not been turned on, but the capabilities to operations require huge changes to the database server or the other environment and in our case, the upgrade is free, but the server upgrades to have the horsepower to make it work well is going to be a half million dollars.
It is something we have to do, but it's not something that we can say if we have 90 days' notice that we could do something like that.
If you missed the budget, you might be waiting for 12 months or more.
Correct. That is from a system that wants to keep up-to-date, not one that wants to drag its feet.
Let's see before the next call that we find some language and knowledge the importance of incorporating updates, but with some way to phrase it that we are not forcing providers to do every single update.
There is another interesting issue going through my head, what this is doing is forcing providers to get me ins from their vendors. I don't know the statistics of what percent don't do that. I know for us, all of our customers do that, but I don't know if it is true with the one or two Dr. Clinics. As I listen to all this, I have heard people say that the rules and regulations and the competitive environment will and the one and two Dr. Clinics. I don't know if we are on the right track or if it is the right things.
Were not going to talk about the rightness or wrongness of that. We need to make sure we can accommodate them.
To stickleback, it is a good point I can say that virtually all of the small practices, [Indiscernible].
This is Peter, I would concur with that as well and forgetting about the philosophical argument of small practices. I think it is reasonable to expect that a small practice that bought an EHR system years ago and is not paying support because they feel all they're doing is typing notes in the system, it is not what we are talking about. I think it is a reasonable requirement for people entering the current world of an EHR environment regardless of the size of the Environment to have a support and upgrade agreement with somebody whether it is there a vendor or somebody else on acting a vendor. You're facing unsafe environment because there are quarter updates for new medications and Drug elegy into accents that don't get upgraded, new code and new procedures. That environment exists, it needs to stop. [Overlapping Speakers]
It is going to call out these components that make sense. It will become part of men's and support as this is pushed through.
These are great points. Thank you all. Does anybody else everything else to add before we go to the second phase of this which is talking about whether we would argue for some of the rejected criteria to be put back on the table or even new criteria that were not specifically mentioned in the proposed rule. This is with respect to what we would say about the secured update.
Are we all in agreement that the risk assessment and action upon that and the updates are separate issues? Are we going to call that out and make sure that as clear?
That is what I thought I heard. Speak now, please. Keep in mind, I just want to pause for a second. We have a work group that is fairly large in its membership. I wanted it that way because I wanted to make sure we have a broad range of stakeholder groups. That may mean for some of you that maybe there's a point that accursed tree after the fact or that you are not able to get in, please feel free to communicate with me by e-mail. I like to put this stuff up as early as possible so we haven't least an interim meeting to make some midcourse corrections if we need to. If you think of something after the fact, send it to me by e-mail and we will get under consideration, whether it is that emit to the whole group or just to me, what ever is your preference. I will never considered anything settled to is because there has been an email conversation because I won't assume everybody has had a chance to weigh in.
Moving on to the second phase of meaningful use which is dealing with rejected or new meaningful use criteria. This goes to the policy recommendation, the policy recommendation regarding HIPAA compliance not being accepted in the proposed rule for meaningful use, the fact the data transparency was identified by a goal but not really addressed. I've got a suggestion that we might think about how to address it in state two with more specific criteria, in part because we were told that the policy committee, anything that was not dealt with in some way in the proposed rule that it would be difficult to get into the final rule for stage one based in part on administrative concepts about whether you can add something totally new after a proposed rule has come out but also I think the sheer likelihood of adding to the volume of meaningful use criteria in stage one beyond the core pieces that are already there. I am putting that on the table again because it got raised in the last call. The third thing I have here is how to better connect the security assessment and implementation updates more toward actual use of the functionality that will have to be in a certified EHR. There is not really a clear connection and if we wanted to make one, I think there is a secondary consideration we have to think about which is whether you would make that part of meaningful use, which set a higher bar come up with versus using Office of Civil Rights to take a look at the security role for it upgraded moving that we are moving more aggressively into electronic records that was the case with HIPAA of readily. Let me lay that out there and get some feedback.
This is not an at them?
Yes. Maybe we can start with with their HIPAA compliance should be back in.
These may be dumb questions, but it has never stopped me before. I know one of the issues right now is many people think the formal HIPAA investigations are not occurring enough and if an as a question, how many HIPAA investigations ongoing now would be a part a question, but under a revised scenario of the beds taking this more seriously, do we in vision lots of HIPAA investigations going on? The reason I ask this is one of the things I hear more from hospitals is particularly, with larger hospitals there always complains going on. What does it take to move something to a formal investigation and under a heightened sense that we need to do more for HIPAA, could we see thousands of HIPAA investigations going on, perhaps many per hospital and the next part, if that was the question, how long do they take to go through an investigation now and if we wrapped up the volume, a we talking about months or years? I like the principal and was in support of it initially until someone raised the issue to me if there could be a sufficient number of nuisance investigations or an angry patient that keeps raising an issue that may or may not be an issue, but because meaningful use right now is all or non, that they could put meaningful use dollars on hold right now for no good reason. I could be completely wrong. I like the notion that if you are violating HIPAA, your meaningful use dollars should be held.
I don't know the answer to how many complaints get to a formal investigation stage and whether there is some sort of specific trigger for example, in the enforcement role piece that we can match on to. - we can latch onto. We could direct those who are facing penalties. You've definitely got somebody for home the Office of Civil Rights has ratcheted up the level of investigation and they are basically ready to hit you with a set of penalties and so your it definitely well past the complete state at that point.
And in the meaningful use dollars would be held until the penalty is paid or you would be ineligible if he received a penalty.
I don't think we have the right to statutory to a permanent bar.
I think we have [Indiscernible] on the phone. Is there anything you can offer?
A couple of points, in answer to the question, what is going on at any given time? We have anywhere around 5000 open complaints at any given time.
These are complaints that are being formally investigated?
Are they formal or informal?
We had not ever used the term formal investigation. The only time that terms surfaced only with respect to the HITECH Act with regard to to willful neglect cases. They said were there is evidence of willful neglect, the secretary must formally investigate the case. Until that time, there really was not any concept of formal or informal investigation. What we do have is in formal resolutions which is resolving the case through negotiated corrective action with the covered entity and that includes everything up to and including the resolution agreements that we have issued with respect to [Indiscernible] and Providence Hospital, which do include payment of settlement amounts. These are all encompassed within and in formal resolution but at that point, the investigation itself is over.
Is there a state between convicted and sentenced saying [Laughter]. Either they have acknowledged or you have proven there is been a violation and the sensing is generally you are working with them to resolve it. The difference between the June 16th recommendation and the July 16 recommendation was making it clear that it was not just under investigation or to address Peters concern, a complaint had been filed, but we wanted to catch [Indiscernible] and how we are going to deal with it.
The closest thing we would have would be those cases for which we are unable to achieve in formal resolutions. Therefore, we would be issuing at that point a notice of determination that we will be imposing a [Indiscernible].
I also want to know if there is a distinction between paying the penalty and the curing of the violation?
I think that's what she was speaking to. It the in formal resolution period is the period in which you are suppose to correct what you did wrong.
Let me say, there is always corrective action. You must always - it the allocation shows noncompliance, you must carry that through corrective action satisfactory to the secretary. In some cases, in addition that securing, the secretary may, depending on the seriousness of the action, taken to a resolution in agreement in which case they would be seeking a settlement amount. But that is still n --
If we are trying to identify a specific point where we are confident that somebody has corrected the violations. I want to know whether the payment or the penalty confirms the violation is cured. In other words, a specific point in time when that is recognized as cured by the department.
By and large, it is recognized and secured by the Department when we issue the closure leisure for the investigation.
That is the point we need to identify.
I think there are a couple of points. One being when the bar is lifted and you can get your meaningful use dollars, which it sounds like we might be able to trigger it with this notice of closure. But I think we are also looking for the trigger for the bar in the first place.
If there is a pending violation, that would suggest they would not be eligible.
This is Paul, I guess I have a couple of comments about this. The concept of suspending payments while there is an investigation going on strikes me from a real problem from the standpoint of due process. Just because you're being investigated does not mean you will be found guilty for everything. The second observation is seems like CMS already said no to is on this thing. It seems like they have an entire process already in place and have a lot of remedies that the law already in falls. I'm just wondering if we are doing anything valuable here? [Overlapping Speakers]
You may not remember this particular part of the policy committee, but asked Tony from CMS about this and their major concern in taking it out was the lack of a clear triggered for when people would essentially be as on suspension and not have their meaningful use payments. Not that they had a fundamental disagreement with where we are headed, but they did not want to do it at the complaint stage and they were not sure that they had a clear Trecker. In fact, Tony invited us. If we had more specific language, to offer it.
If it helps them and solving a problem for them. [Indiscernible]
This is John Huston, there is another way to look at this. If you were certifying you have met these criteria and it later comes to light that you have not met the criteria enters certification is in fact false, the bigger issue in my mind is if an organization has been provided with or given large amounts of money associated with meaningful use and later found to have a defective certification, not just these, but other ones. Is somebody going to come back and ask for their money back? Is that sufficient leverage to cause people to not want to misrepresent certification?
This is Terry, to that point I agree with that concept but as far as I can tell, there is no requirement that you certify HIPAA compliance be on the security provisions as part of this standard. While I agree that would be a great concept, there is no fundamental certification in the first place to allow that to occur. I am for finding ways to make the rule clarified that using technology to protect information goes beyond security and includes privacy. This potentially one with to get that. There could be a certification that you are in compliance with the rules. There may be other ways to achieve it. I do agree that finding some way as using privacy as part of that standard would be preferred. On this particular solution, just to clarify it, but it is we are talking about so I understand, two questions. Are we talking about suspending the payment during the times this investigation is happening and it then, not just turning the payments back on, but getting back any money that would of been paid during that time? Are we talking about full restitution of all payments owed or just picking them up again from the point at which things are cleared? The second question is, as I am understand it, [Indiscernible] gives attorneys general the authority to enforce HIPAA as well as So does formal investigation include those investigations as well as OCR?
All very good questions. I think with what we intended - I don't think we have the authority under the statute. If you are otherwise eligible for a meaningful use payment and what is keeping you from getting at is that you have got a HIPAA compliance issue than you have not resolved, again assuming there were to be criteria for you to certify that, depending on the series of trekkers, you'd have to be eligible for your full payment. I don't think there's anything in the statute that gives authority that you would not give the full amount for which you would be eligible for a to the criteria. We probably have to be clear about that since these payments are staged. If you would otherwise be eligible for stage one for the first year of payment and what was barring new, this is how we envision it, that you had a HIPAA problem that went beyond the complaint stage, ones that got resolved, I liked the concept of the closure letter, CMS would then have to pay the money.
Is there not some penalty implied by some kind of lapse in time because the payments vary by when you qualify?
We can certainly check with CMS on this, but I don't see if you were eligible for a stage one payment, and this was your bar, I think we would have to be clear that the intent was that you would miss it entirely. I don't see anything in the statute --
I am suggesting the eligibility would occur at the time you're fully eligible and if you fail to comply within the timeframe of the stage one, you would be bumped down. It feels to me that that is it a deterrent.
I see what you are saying.
I think this is an opportunity to ensure HIPAA compliance and we need to find the first trickle that CMS was asking the policy committee to identify because we have seemed to identify the closing trigger which is the letter. I think we need to find the first trigger. I think it is fair to say that somebody should not be determined to be guilty before there is some requests for a cure. What we need to know is, what is the official request? When does that occur? How was it conveyed by OCR, for example, that you must cure X. What you do?
This is Peter, also the timeliness of that. Indeed, it is is framed and meaningful use is all or none, that regardless of attestation if there is a HIPAA privacy investigation going on that you would not qualify for that unless you miss a year. If an investigation takes longer the next period of time, that could be problematic as well. I can't remember who made this comment before that there were about 5000 investigations going on, to know whether that is five dozen directed to be individuals or three that as a hospital spirit [Indiscernible]. I'm not asking this facetiously, but just to know the state of the state and with some notion of upping the level of investigations that has been called for. Will we be saying if the process of resolving these is going to take a significant period of time or will we be saying the way we want to frame this role will essentially qualify half or a third of hospitals from the meaningful use payments just because of a process for investigation? That would be a problem. [Overlapping Speakers]
We have got a bigger problem that that it 80% of hospitals have violations.
We are not saying they are serious, they are being investigated.
We have this and they are not frivolous. I think your point is there, I think we have to better understand it.
Some of them may prove to be frivolous and some of them may prove to be not a real violation, but even where there are indications of violations, many of these cases do in all issues. A complaint did not get the ax as he requested. This may turn out to be a single case of an individual who did not get access. In other cases it may disclose something that is systematic within the entity. It may be an individual who thought the reception area that the receptionist was speaking too loudly and call out his name too loudly. It could be someone who has a serious - we are now getting bridge notifications and each of those will go into investigation. It could be a computer disk was stolen and that has exposed thousands of names potential they to Missy use. We really have a broad range of issues that come up to was in the form of complaints. I think the question for you all is, what do you see as what to see as a serious noncompliance that you are concerned about the meaningful use funds? About whether the notice of determination for initially being a CMP action would be the threshold for that kind of serious violation.
CNP is a civil monetary penalty.
I don't know another about when they are applied or how they are applied or whether with the be applied equally to a computer that was stolen and there was a breach and the same toward a willful negligence.
I think the other issue that her comments bring it to me, is it appropriate to use the meaningful use broke ground health care technology to enforce compliance with things that nothing to do with health care technology, like a nurse speaking too loud.
I think the intent of this category was to be a foundational. We have said this was important so I think it is part of meaningful use up the technologies that you have to comply with the privacy rules. We do have the problem, a lot of these cases can hold up meaningful use at the entire system throughout the enterprise on some of these individual cases. I think the recovery Act does give us agree dismiss and perhaps one of the thoughts is to look at the highest tier and say, that is clearly a deliberate misuse of this technology and that would definitely not be a meaningful way to use this technology to improve the outcome.
I think the other suggestion is, I'm trying to think of the tears that are directed to the agree tenseness of the offense.
The high-tech is willful on corrected neglect, below that is corrected will from a corrupt act then it is reasonable cause and then not knowing.
I think when we get to willful, we are talking about that it has been determined. If we know that it was willful neglect, I don't know that qualify as an organization to be deemed a meaningful user of the improve outcomes. I think protecting privacy is part meaningful use. I think that is a strong suggestion to put on the table.
Could you read the Top two again?
The top two or both will fall neglect. The second to the top is will find the neglect, but corrected. The top tier is willful neglect and you did not fix it.
I certainly think that gives us something to think about. I would want further clarification on an example of what willful neglect actually means. Certainly there's a layman's interpretation and I think to all of us it means that these are people who should not be practicing medicine. My guess is if we could but get a summary of cases, we might feel differently, or maybe not.
There is a definition of willful neglect in the regulation.
How about if we do that, which focus again on the top two categories and come up with some trigger language that has some specific definition and uses some of the terms that suit brought up today with respect - you're getting [Indiscernible]
That sounds like a good idea.
I would just say one other thing with regard to how some of these cases and what would constitute closure. For instance, if we do take a willful neglect case to a CMP and issue a notice of proposed determination, the entity does have an appeal rights so they can first go through a [Indiscernible] proceeding which will either sustain our action for the CMP, but we can't enforce the CMP, but after the ALJ has been ruled. Even after the ALJ has ruled, they have the right to go into court to challenge that determination.
Is there a time frame for which that process has to occur?
There is a time frame in which the entity has to request the hearing. Then there are some procedural time limits, but I think it is generally driven by Wendy ALJ can document the proceedings. I don't think it has to be wrapped up within a year.
There is no average time frame because we have not had a case and have not exercised the CMP authority.
One of the other things I will do some checking on offline with Tony and his staff and folks in the legal counsel office is if in fact those investigations took too much time. I think I was assuming that once the investigation closed, as on the issue or otherwise eligible during the payment year, you could still get a payment but that is not 100% clear.
I think the other part of that question is as I am thinking about the statute in terms of no incentive payments will be made beyond tax year, it may indeed mean that once you would be on the payment period for a measure year that it may not be able to be paid out.
I will definitely check on that because that is pertinent on making a decision.
Okay, it could discussion. There were two other things. The mention of data transparency to patients and consumers and the fact that it was mentioned of the matrix, but even the meaningful use group had not really put forward any specific objectives are measures in part because we had HIPAA compliance as an objective and measure and there are transparency requirements in HIPAA already. The at a think I noted is I'm not sure we necessarily intended to sing at dated transparency as necessarily more important than other privacy issues. It is just we have had identified it as a priority. I think others can tell me if I'm wrong, but I just did not get that kind of focus. What I was putting out is that we look at what we might think about to recommend for the stage two requirements on privacy and the security and [Indiscernible] rather than try to think about some criteria for data transparency. The last piece of this is whether what to create some sort of linkage in meaningful use or three recommendations to update the HIPAA security role to tied more closely, what providers do with the other penalities that are now required to be in the technology. Does anybody have a problem with thinking about dated transparency in stage two? Okay, great. It would not be just that, but we think about what priorities we want to pull out for a second stage of measures.
Devin, this is Terry, on that note, transparency seems like a good one to investigate. The other thing I think is lacking is the objective on this particular proposal is to protect information through proper technical capabilities but then it only refers to security. Are there other ways we can get that now required or at least indicated technical capabilities that are about privacy and we can cross link to at least those earlier rather than later since we know that three medically people will have to be doing the spirit for example, the [Indiscernible] as I understand it [Indiscernible] is there some way to link to that through attestation or to otherwise build an acknowledgement that you not only have to have that capability in your software, but you have to be using it to accomplish the HIPAA requirements.
Are you laying it on the table as a potential state two conversation?
I am assuming that is what will have to happen. I defer to others are much more enmeshed in this.
Not only is a practical, but we have the standard or functionality for the technology, but the civil rights office still has six months to come up with a regulation about what needs to be included. I think all that process pushes up the time frame even further. There is a set of timing deadlines, as early as 2011 for New Technology adapters, but the secretary has some authority to extend that. I think it is a good suggestion to essentially put on the potential priority list given that is a requirement. I just don't think we can get it done for stage one.
Can we expressed some interest now in seeing that does contrast and that we are concerned about it?
Yes, at a minimum we can say - focusing on what would be needed for disposals and our tentative work plan. I don't think it is out of bounds to say we are good to be looking at that. Palm.
This is Terry again, we may not be able to do this in time for meeting this comment to period, but I assume as for the development through the committee and otherwise happens on things like additional certification requirements overtime to include for example, technical capabilities to support consumer preference choices, consent authorization and what have you. I know that as a whole other discussion. But just to acknowledge as the technology developments and the Standard and criteria develop, those should be reflected as part of the meaningful use requirements over time.
I don't know how close we are going to get to touch on it today, but I've got to technological functionality to help provider's comply with patient choice requirements are policies that are already in effect to talk about as potential early stage because they exist in the law today and this is something that we will get to in just a second. This is something I was actually told during the policy committee meeting that they were not provided a standard for by the standards committee, but I am not necessarily sure that is true. Is Dixie Baker on the phone? We may not be able to get into this in more detail. [Overlapping Speakers]
This is Kathleen, I wanted to let you know that on ONC web site there are recommendations from the standards committee and discussed with the HIT committee related specifically to access control.
Access control is what enables you to use the technology to help manage patient preferences and consent.
This was presented and I can send the link to everyone so they can see this was in fact discussed.
That would be great.
We have that up on the agenda, if we can hold off for a minute so we can close out the discussion about linking, the overall point being there are technical functionality is that are required to be a certified EHR technology that are related to security and yet we don't necessarily have the requirement from a policy standpoint to use them, either as part of meaningful use or as something that you are required to address in the HIPAA security role. They are all addressable, meaning he should think about whether you want to put the men place, it is certainly not a requirement to use encryption when you are transporting data. There are lots of incentives to do the, especially now with the breach whirl and the safe harbor, but it is not a requirement per se. I was trying to think of a way to connect what is required under full speed to under security with the US functionality is and I think initially I thought why not think about meaningful use me now that you have this functionality is you have to use them and that should be part meaningful use. I am concerned that just imposing those requirements on meaningful users versus approaching stronger security requirements through an update to the security role, which would take longer, but would avoid the disincentive to adopt the technology that might take place if we load it to much into the meaningful use bucket.
This is Kathleen, I was wondering the certification criteria could at least spell out some of these requirements before us so at least the vendors are thinking about those capabilities are in place.
Unless I'm missing something, the fact is capabilities have to be there in order for the EHR technology either as a system or module to get certified, do you actually use it to protect data? Maybe some of them are self affecting but certainly not all of them. I'm going to propose something, we think about that question I have laid on the table and the context of moving to a discussion on the standards in the interim final role and what we might want to say about these standards and picking up that discussion as part of that thread. Again, what you've got the materials, moving on to talking about the standards that are required for EHR technology to be certified, you have the table replicated in your materials. It includes encryption, audit log, the use of a secure algorism to verify the information has not been altered. Enterprise authentication and functionality is with respect to complying with the accounting for disclosure rule. I put down issues to discuss. The top one is the notion of the missing standard - missing certification criteria means to be that there was not one for access control. The systems are not going to be required to have some sort of functionality provided to access control which helps entities managed the patient consent requirements, that they have to comply with an existing law or because their organization has a policy that requires it.
This is Kathleen, I wanted to see if someone can help clarify how that table for the IFR that relates to table one in the IFR, which would be page 28 of the Federal register. It has a huge section at the bottom that talks about the certification capabilities and is specifically speaks to the control of access and a recording of disclosures, etc.. It is much more explicit than that table. I think it would be good to figure out why the table does not reflect what is a requirement under cert.
This is Paul, I can do my best to respond to that. The table in the minutes is intended to summarize the standards that are adopted for privacy and security. But just adopting a standard doesn't necessarily do anything, you have to have certification criteria. The table you referenced is probably a list of certification criteria. The certification criteria can be certification criteria around a standard but it can also be a requirement of around a technical requirement which does not necessarily have a standard. You can get certification criteria that says all paths words have to have the least six characters. That would be certification criteria around a technical requirement that does not involve a standard.
Let me just clarify something. Is it or is it not the case[Indiscernible]. It did not look to me that there was a standard for access control I often refer to it as consent management. I don't understand how that is linked to managing consensus. At any rate, it does not look to me like a system has to have the functionality is in place in order to be certified, but correct me if I am wrong.
As far as I could tell there is no standard for. I'm not sure it has to have it looking at the certification criteria. You can put the functional requirements to have it without specifying a standard.
This is Kathleen, the reason is confusing, the stat of standards in the material that was sent out, they're not always specify to specific security standards. There's sometimes describing standards from a functional point did you. You would think that a requirement to certify that the system to verify that an entity seeking access to health electronic information across the network is the one that is claimed an authorized to access such information. You would think that would also be reflected in the table.
This is Paul, it does not have to be because that is a good example of certification criteria are round a technical or functional requirement for which there is no standard. They are saying to the software vendors that you have to meet this criteria and you have multiple ways of meeting it.
I guess it is possible I pulled out the wrong people. I don't want to get over a discussion of which table is more authoritative with respect to what has to be in the systems. What is more important for this discussion, do you have to have some kind of access control functionality, even if it is not a specific standard in order to be certified?
I think we should just ask that they make it very clear that there is a certification requirement for access control and that be reflected as a functional standard in this table.
This is Terry, just to be clear, when we say access control, the person tried to access it is in fact to the are suppose to be, that is one. It does seem to be reflected in the table that I am looking at. The second part is that they are authorized for this particular transaction, that this particular transaction is authorized to occur and to this person. It is not just that the person has a right, the person is who they say they are but that they are also properly able in this case to access this affirmation or looking at it from the other way that the entity that holds the information is authorized to disclose it to that person.
I will send out the certification table and it speaks to both the access control internal and across the network. In addition, access control often means that in addition to actually getting the information to some kind of permission or authorization about the how the information is used. You could get a read only access where you could have access that allows you to modify the data or disclose it further.
Okay, we will definitely have to get clarification on this. I was under the impression that access control criteria, whether in the form of a specific technical standard or a requirement for a technical functionality was not in fact in this role and the reason for that, I asked this question specifically and was told we did not get a policy our recommendation from the standards committee on that. It could be I am just missed understanding what is going on and we will certainly clarify and. If, in fact, standards and functionality that to the access control piece of it that is helpful to adjudicating whether somebody has the right to access information and with patient consent and managing patients' consent, I think that is helpful for us to know.
This is Terry, I would agree that would be great to get that information, not just because it has ramifications of telehealth Information Exchange networks are built and managed and what kinds of services are provided. There are questions going on at the state level about whether we need to have some sort of central consent Management process and I think the assumption is there either won't be a consent Management process available in each resident EHR or it will be good enough. Knowing how strong the EHR capabilities are, that would help to influence what we do on the HIE side.
This is Paul, I agree with your summary of what you need to do in terms of doing the review. I have one issue that is somewhat related which is, in the IFR, I did not see where aides said segmentation off the record. To do some of the things we've talked about, like limited access to sections like behavioral Health or reproductive health, you need to have segmentation. I think what recommendations on the IFR should be there should be something that alerts the vendors that in state two, segmentation off the record will probably be a requirement. The reason for that is it is a lot of technical work and we need to get the venders started on it this is something we want to have happen.
I think that is a good topic to bring up. I am not sure what segmentation off the record would really mean. The example that is given sometimes, if I had an abortion 20 years ago, can that be suppressed? I think we can suppress certain things, but my worry is Gwen the meeting talks about trust, I am afraid we will not be able to get trust because we cannot get rid of everything. Even if the segment the record, there is the appointment information that is stored. You have the visit to the primary-care physician and maybe a visit to the gynecologist or the Sokol social workers to headnotes stored for each. You've got the lab results coming back that have not been segmented. You've got to procedure, the room and notes from that. You might have the drug given toprevent future pregnancy problems. You've got phone calls, but there is follow-up. You've got medications, financial transactions. My big worry is, one, we will have patience that rely on us and I don't think there's any way to follow all of the threads. You even have later on the question, the three things at that ASCII, suppose the woman for a while said the correct numbers and later on decided to change that, it can reference the wrong numbers because it does not know how to look for that in the notes.
[Indiscernible] I think there are some things that vendors and providers do feel comfortable segmenting. There others that may be impossible to segment. As we gain more trust a patience, and I think people have been doing that for a long time, that we don't set unrealistic expectations based on the technology but also based on good medical care.
All of this is closely tied into our conversations about patient preference. I do think at a minimum we can be letting folks know that we are taking that up and we are going to look at both policy as well as technological functionality is that will need to be a place so we are sending smoke signals that there could be some higher expectations in this regard, but I do think it is a complicated conversation.
It is very complicated and I think any put all the word trust is so important. Is going to be almost impossible to ensure [Overlapping Speakers]. Even who is your carotene in many cases. Suppose you want to hide diabetes and is your yearly eye exam going to be turned down because there is no reason for it. I think what will happen is the insurance companies will have people people who can spend the time looking for the fact that things are not there. They're going to be able to do the stuff patients are afraid about, but the doctor who only as a limited amount of time will not be able to get the attention and the record for hidden stuff and then give poor care. It is like the worst of all things happening.
Let's suspend further conversation on that until we actually have an opportunity to do so and is not seven minutes until the end of the call. On that note, clearly we have some work to do to prepare for the next call. I want to ask you all, because we are running out of time and we need to open up the lines for public comment as well, to start providing me with your wish list of what information you think we need to have in order to tackle this patient preference conversation. I think we got a sense of some of the aspects of it as part of this data segmentation conversation. I know we will have at least one hearing on this issue. I wondered whether it will be a series of hearings, but at a minimum I want to start sketching out and work plan and time frames for tackling this and I need your help. Just so you know, there has been work that is been done by ONC, a white paper in particular that looks at the ways the exchange organizations have been implementing policy and that should be helpful and that is close to being ready to be distributed to us or at least the high-level conclusions shared with us.
Devin, I noted that national governments associated released a report as well coming out of their state alliance efforts.
If we can get that circulated as well, that would be terrific. Since we are running at a time, I suggest we stop it by inviting you to e-mail me anything and everything you think is relevant to put on the table and I will start sorting that.
What we talked about with the [Indiscernible] and the types of topics we can help out on, the idea of sensitive data types and stuff like that, I want to leave that on the table is that it seems like there is more topic then there is capacity.
We want to also be well aware that a trend of the work that you have done. We are going to have to open up to the public but we have to cut our own conversation short so we can have an opportunity to hear from folks not on the work group. Judy?
I'll have the operator open the land for public comment. I think the next workgroup meeting is February 3, is that right?
Operator, do we have anyone on the line?
Hi, everybody. Can you hear me?
Thank you. First of all, I want to congratulate Paul and the people who brought up the critical issue of the ability to segment information. Not only is segmentation not in it meaningful use and of course the needs to be because it is a legal requirement for sensitive information, but we have to get these capabilities because as Paul pointed out, there are many kinds of sensitive information. John Huston, we specifically disagreed that there needs to be categories of sensitive information decided by people other than the patient because patients have privacy preferences that are different in technology and it can't allow for them to be expressed. That is what the focus groups of that doubt that people really want to exercise their individual rights to determine what is private. I think it is really important about sending smoke signals to the industry. It is important to tell them the ability to do this will be essential for EHR going forward. We are aware that many EHR cannot do this right now and I am not enough of a technologist to know if some of them will ever be able to. The public is never going to stand for eliminating the right to segment information. What ever that it will take, I would urge you to when you have these hearings to look at the systems that are already doing this. The [Indiscernible] systems, the sensitive health data and others. The private access system allows segmentation of different information to be presented to clinical researchers. The nation and the government East to see what is out there. We are tired of the industry saying that we cannot do this. This is the very familiar from all other industries. If you think of the auto industry, they never with added seat belts, air bags or fuel efficiency if it had not been required by congress. We really need the innovations to happen. The other things I want to point out that are not in meaningful use that are important, we believe that consent should be part of that. In fact, the right to stop the disclosure for payment and health-care operations, if you pay out of pocket is a high-tech requirement. That requirement means there has to be functional consent. I would point out also in the HIPAA privacy role in itself, it allowed individual doctors or providers to agree to use a consent process for the disclosure of patient records. We have to be able to exercise that in every electronic health records system. Again, we fully understand the industry does not want to do this and may never want to do this but realistically, what your job is is to set the bar and make sure the industry moves in the right there - direction over time. These are existing federal requirements that need to be part meaningful use and are not. It is very significant for people who want privacy to a least be able to stop their information from going to help plan and payment if they pay out of pocket. The issue is really when we don't have privacy, how many people will stop getting treatment and when people stop getting treatment, you can't say they are getting quality care. We would really urge you to set the bar to meet existing federal laws which if you look at them, the right to stop the disclosure when you pay out of pocket for payment and health-care operations, that as a consent preferences that needs to be put in place as soon as possible. Americans care about this issue and is not another way to have trust. I really encourage you to stick with their plan on requiring the ability to segment sensitive intimation and to move up the time lines for meaningful and effective consent. Thank you.
Just to add in, if anybody else from the public wants to make a comment, press star one on your phone and the operator will open up the lines one at a time.
If you have a question or comment, press star one at this time. We have no questions at this time.
I think we are done, we are a little bit over. Thank you to everyone for what I think was a great meeting. We have more materials to come. Send me your suggestions and have a good weekend.