[This Transcript is Unedited]
Sheraton Buckhead Hotel
3405 Lenox Road
Atlanta, GA
Agenda Item: Welcome and Introductions, Dr. Lumpkin, Chair
DR. LUMPKIN: -- this meeting actually was scheduled and then rescheduled, the National Health Information Infrastructure Workgroup of the National Committee for Vital and Health Statistics. We’re going to start off with introductions around the room. I’d like to remind everyone that we are as our usual action going to be over the internet, so please speak into the microphone so people out in cyber land can hear you, and we do have a very tight schedule today so I will be keeping the speakers to their allotted time so that we can have discussion and continue with our very full and interesting agenda.
To start off with, my name is John Lumpkin and I am chair of the Workgroup, and I’m also senior vice president of the Robert Wood Johnson Foundation. Mary Jo?
DR. DEERING: I’m Mary Jo Deering, I’m the lead staff to the NHII Workgroup and deputy director for eHealth and management in the Office of Disease Prevention and Health Promotion in HHS.
DR. HARDING: I’m Richard Harding, I’m the interim chair of psychiatry at the University of South Carolina and a member of the Committee.
MR. HUNGATE: Bob Hungate, principal of Physician Patient Partnerships for Health and member of the Committee.
DR. YASNOFF: Bill Yasnoff, senior advisor, National Health Information Infrastructure, Health and Human Services.
MS. WILLIAMSON: Michelle Williamson, Health informatics specialist at the National Center for Health Statistics, CDC, and staff to the NHII Workgroup.
DR. ORTIZ: Eduardo Ortiz from the Agency for Healthcare Research and Quality. I’m the lead person at the agency for clinical informatics and I’m also staff to the NHII Working Group.
DR. FERRER: Jorge Ferrer, Centers for Medicare and Medicaid Services, medical officer.
DR. LOONSK: I’m John Loonsk, I’m the associate director for informatics at the Centers for Disease Control and Prevention.
MS. DAVIES: I’m Jac Davies, I’m with the Washington State Department of Health where I’m the assistant secretary for the division of epidemiology, health statistics, and public health laboratories.
MS. MURPHY: I’m Anne Murphy, I’m the chief legal counsel and chief privacy officer for the Illinois Department of Public Health and a speaker this morning.
DR. HUFF: I’m Stan Huff with Intermountain Health Care and the University of Utah in Salt Lake City, a member of the Committee.
DR. STEINDEL: Steve Steindel, senior advisor for standards and vocabularies, Centers for Disease Control and Prevention, liaison to the full Committee and staff to the Working Group.
MR. BLAIR: Jeff Blair, Medical Records Institute, member of the Workgroup and member of the full Committee.
MS. GREENBERG: I’m Marjorie Greenberg, National Center for Health Statistics, CDC, and executive secretary for the Committee.
MS. O’CONNOR: I’m Lilly O’Connor and I’m the director of operations for the California Cancer Registry.
MS. WEED(?): Gerri Weed from CDC, support staff to NHII.
MR. HALL: John Hall, State of Nebraska NEDSS Coordinator.
DR. LINCOLNS(?): Rob Lincolns, acting director of data management division national immunization program, CDC.
MS. WILLIAMS: Gail Williams, acting chief of the immunization registry support branch, NIP CDC.
MS. HORLICK: Gail Horlick, NIP Centers for Disease Control and Prevention, and staff to the Subcommittee on Privacy and Confidentiality.
DR. MEARS: Hi, I’m Greg Mears, I’m with the Department of Emergency Medicine at the University of North Carolina at Chapel Hill, I’m also the state EMS medical director for North Carolina.
DR. WILLIAMS: Warren Williams, Centers for Disease Control, National Immunization Program.
MR. HOPFENSPERGER: Dan Hopfensperger, program manager for the Wisconsin Immunization Program.
DR. LUMPKIN: Well, good morning. As you know the focus of this particular hearing is related to public health, also related to surveillance and other activities which is why we wanted to come down close to the CDC which is the center. Obviously there’s been a lot of national focus on the work of the Centers for Disease Control and anyone who woke up this morning to CNN saw Julie Gerberding on CNN every five minutes, I hope she’s comfortable with that quote because it’s coming back again and again and again.
MR. BLAIR: For those of us that didn’t watch CNN what did you hear?
DR. LUMPKIN: They’re doing a promo for an 8:00 show tonight on SARS and so it sort of has a couple quotes from Julie Gerberding, well one basically saying that we’re not clear on how big this is going to be because we’re just in the beginning of this epidemic. She said it actually nicer and much more succinctly. But one of the things that I wanted to talk, just to mention before we get started is that the environment in which we are operating is significantly different. As you know we as a Workgroup worked very hard in our report, we published a report over a year and, almost a year and a half ago and pretty much at that point we thought it was on to deaf ears, except for the fact that it helped Bill Yasnoff get a different job. But all of you should be aware that there has been a lot of interest on the issues raised by our report by the senior levels of the Department of Health and Human Services. In November the Institute of Medicine at the urging of the Department released a report on rapid advances in health care, one of those sections was on health informatics, and there was a roundtable in November that the Secretary attended for a full day sponsored by the Institute of Medicine which I and Don Detmer(?) presented for a one hour roundtable with three or four other people, directly with the Secretary and Harvey Feinberg, the head of the Institute of Medicine.
Since that time there was a town hall meeting in Detroit in which the Secretary opened up by commenting on the fact that there’s a major problem in this country where there’s better automation at the check-out counter in a grocery store than there is within our health system. He announced the adoption of the clinical data standards as recommended by this Committee and endorsement of the Consolidated Health Informatics Initiative, which is a combined initiative of the Departments of Defense, of Veterans Affairs, and the Department of Health and Human Services, and endorsed the proposal which FDA has now released rules for bar coding of pharmaceuticals and medical supplies, all of which represents a significant commitment at the highest levels of HHS, from the Secretary on down, to the areas that we have discussed, really beginning to move forward the agenda on the National Health Information Infrastructure, so it’s very timely that we have this discussion today to keep in focus.
At that meeting I did change my slides, which I’ve been using in doing the presentation on the National Health Information Infrastructure, and where we talk about population health I put in under parentheses there preparedness, because I think that that is a very key component of what we’re talking about that as we move this agenda forward that the new reality since September 11th has really pointed out the importance of having this ability to monitor and to use and approve the health information so that we can have a high quality, efficient and effective health care system.
So with that we’re going to move to the first panel and we’re going to start off with our first speaker who has already introduced himself, Dr. Loonsk.
DR. LOONSK: Thank you. I’d like to thank the Working Group for this opportunity to speak and we do indeed feel this is a very opportune time in terms of the confluence of both the public health needs starting with West Nile, moving to Anthrax, into smallpox preparation or preparedness, and then into SARS, as well as the exciting activities that John has already mentioned around the work of this Working Group, the work of the National Committee, and the Consolidated Health Informatics, and we think this is a very opportune time to talk about these activities.
My presentation will be focused on the public health information network. There has been a history of a number of information technology initiatives related to public health that have shown the value of information technology, the Health Alert Network working on internet connectivity, alerting and distance learning. The National Electronic Disease Surveillance Systems, or NEDSS, working on disease surveillance and electronic laboratory reporting. The work in the Bioterrorism Preparedness and Response Funding, the work of the Laboratory Response Network on diagnostic capacity and information delivery, other efforts like the Epidemiologic Information Exchange about secure interactive communication, the activities around web-sites, the CDC web-site as a major tool for information dissemination as well as web-sites at state and local levels, and work on the National Health Care Safety Network. But as Dr. Lumpkin indicated, there is now a new bar for preparedness that we need to achieve, and public health is being tested by these new needs and it is a time to achieve a new level of coordination and interoperation among the different functions and organizations of public health, and that is what the Public Health Information Network is, and it has been identified by Dr. Gerberding, CDC’s new director, as one of her top three priorities for public health in her tenure at the CDC.
What’s part of the problem here? Part of the problem is that public health is diffused in its organizational implementation and involves many organizations working together and exchanging information. That the U.S. health care system from an information technology perspective is still relatively fragmented and getting information and consistent data out of it is relatively problematic still for public health. That the current information cycle in public health partly because of the many different organizations that are participating, as well as the historical categorical funding for surveillance and other activities early into particular diseases has led to an information cycle that is still long and frequently, if not mostly, involves the manual exchange of information. And as indicated earlier, that the new realities of terrorism and preparedness for disease outbreak requires a new level of operation and interoperability.
So the vision for the Public Health Information Network is indeed to transform public health by coordinating its functions and its organizations, and to enable real time data flow, at least close to real time data flow, to support computer assisted analysis and decision support, to facilitate professional collaboration, and use information technology to fully achieve the rapid dissemination of information to both public health as well as the clinical care community and the public.
The vision for the Public Health Information Network is a broad one, as I indicated cross multiple functions. It includes the areas of detection and monitoring, this is inclusive of activities early on in bioterrorism detection, in the areas of syndromic surveillance and early indicators of possible outbreaks. It includes the more routine surveillance and reporting operations of the National Electronic Disease Surveillance System, as well as the analysis of these data and the conversion of these data information at all levels of public health to make good decision.
The Public Health Information Network includes information resources and knowledge management, the ability to focus these information and present them in ways that support decision making, as well as alerting and communication and including the broad communities that I identified before, and the large and still developing information systems needs of response, having identified an outbreak, having identified an attack, the coordination and management of prophylaxis, vaccination, and other response activities is an area that still needs attention and been relatively under attended to in information systems development.
How do we get there? What type of network is this? The whole idea of having a network and naming something to try to sweep up some of these other initiatives and coordinate them in a way that can bring together the interoperability of the different functions has both positives and negatives about it. We are striving to make this as interoperable as possible, a framework that can work with other networks, that can work with other information systems, and doesn’t wall itself off from those activities. That this is a dual use network, that it needs to meet the needs of both homeland security, bioterrorism preparedness and response, as well as routine public health. For the former to be functional it needs to have a well trained and active public health workforce constantly using the system, working the activities of the system to ensure that when an event does occur it will be identified and that the capacity to manage and respond to it is present. That part of the vision for this has to be reducing the reporting burden, that it is well established that the clinical sector will not do manual entry to meet public health needs and so a major emphasis for the Public Health Information Network has been and will be on using electronic data that is accumulated or managed for clinical care purposes or for lab information management purposes, and reusing those data for public health purposes. And there’s significant evidence that indicates that this is not only, will help reduce reporting burden but will actually facilitate public health activities. That we are talking about moving toward real time, live data and continuous monitoring of the nation’s health, and that we need to support users. This is not a system to replace the public health personnel infrastructure, it’s a system to support it.
To give you an example of how this looked in a retrospective fashion post anthrax we did a significant analysis of the information flow that was necessary during the anthrax response, and part of that is represented by the different yellow arrows that are the on the screen in front of you. This represents some of the information exchange that was necessary and unfortunately the majority of information and data that was exchanged was done via telephone and one person picking up the phone and calling someone else and saying that the lab result was positive, or saying that this particular case was positive. And that does not meet the bar for preparedness that we’re trying to achieve.
So to get to this network, to get to this new level, we have been pursuing it through some of the component initiatives, a process that in retrospect looks something like this. First, to identify the relevant industry standards. These are both technical and data standards, and to do this obviously in keeping with activities of the National Committee on Vital and Health Statistics and Consolidated Health Informatics, and obviously as NHII grows to maintain harmonization in that respect. To also develop very specific specifications. You can think of these as in the example here is if the industry standard is HL7, lab result message, the specification is an implementation guide for a lab result message that unambiguously specifies that, which those data that need to be exchanged and will allow for doing the work between these different organizations of exchanging these data. There’s a lot of work that needs to be done at this level to detail these very specific data exchange and technical specifications.
We are then funding through these specifications. And last year over a billion dollars went out in a cooperative agreements, some through CDC, some through HRSA, and both of them had what were then called the IT functions and specifications, which identified the technical and data standards for this network attached to them, and the requirement exists that if these monies are used to support information technology that those information technology activities need to be done with those standards.
We also find that a necessary step is to develop transitional software that implements these standards now, otherwise we are stuck in the cycle of people recognizing the importance of standards, recognizing the importance of having data interchange specifications, and technical interchange specifications, but also recognizing that they need to do work now and need software and systems that support their current work. What we have found to be helpful in this regard is the development of functional software components that can be delivered and made available to public health participants that implement these technical standards so that they can be achieved now versus having to wait for subsequent cycles of software development and iteration. One example of that is we’ve the software for an industry standard based EBXML interorganizational data messaging system that can exchange HL7 or X-12 message content, and do that with a handshake between systems that is standards based.
We are also encouraging partners in the private sector to implement the specifications, and to indeed encourage the new interest of the private sector in public health. Public health had historically been a relative niche market for software development but the influx of monies that I’ve referred to already has brought a lot of interest in public health software development and so we were working with the private sector to encourage them to implement these standards and specifications in systems they develop.
And then the final step on this, which we have just really started to pursue, is that of supporting conformance testing to ensure that the standards are indeed implemented and to be able to have methods for the evaluation of the implementation of the specifications to assure interoperability.
The types of things that this needs in terms of ongoing needs for Public Health Information Network indeed include additional work on standards identification and specification. With the number of activities that are going on at the national level we are eager to tag onto industry standards that are identified and do work in this public health domain for internal specification development that gets us to that level of specificity to do the work of this activity. We are also working on foundational elements for public health partners that support integrated interoperable systems. Since much of the funding for information technology that has historically gone into public health has been focused around disease categories or around specific initiatives there is a need to implement shared functions or components in public health participants around directors of individuals, around data exchange, around standardized data stores and the like. I mentioned the need to develop transitional software components, those needs are ongoing. And the need to support conformance testing and integration assurance.
The three broad thrusts for achieving the Public Health Information Network can be described in these categories. One, a technical systems architecture for how systems need to be constructed to be interoperable. Two, a sub-component of that, which relates to implementing a live network for the exchange of very specific data. And three, work on a shared data model and vocabularies for public health participants.
In terms of the systems architecture part of the complexity of this as I’ve indicated before is that it relates to many different participants working together to support the public health mission. We have in funding activities been able to focus most specifically on health departments at state and local levels, and through work with HRSA have started on work around clinical care activities and integration with public health, but it also involves work in public health laboratories, and other state and federal agencies that need to participate in public health and public health response. And as evidenced through bioterrorism response, the needs of first responders and law enforcement are also significant in terms of information exchange with public health as well.
On a more specific level looking at a health department, we have made efforts on systems architecture that includes some of the areas identified in this slide, work on directors of participants in public health, both for communications in terms of alerting and notifications as well as authentication and authorization to public health systems. Working on data exchange methodologies, and I’ll talk a little bit more about that in a moment. The area of web services and interchange, that not of routine reporting character but of being able to query a different organization, for example, to determine whether someone has been vaccinated for a particular pathogen is a developing area.
The area of security to ensure that these data are well protected and that practices for continuity of operations are ensured. And increasingly, the left side of the slide, areas around standards for content delivery around the identification of content, the tagging of content, information architecture, metadata about content that facilitates its delivery in a timely fashion to those who need it.
In terms of the live network for information exchange, and really one could look at this as a component of both the technical architecture and the data exchange standards that I will talk about in a moment, the need is to specify the entire stack represented before you, to have unambiguous exchange of data, working on internet connectivity which some people point to as these systems are internet connected, then we’re at the point that they can exchange data. It’s obviously not enough. Working on having shared methods for encryption and security that will allow for the secure systems that cross organizational boundaries is the next added step. And then above that, working on the exchange of the handshake between information systems that allow for one information system to say to the other we have this data for you, the other one to say I’ve received that data, and thank you, and it’s been processed, and is in a form that we can understand. Working on above that the data models and structures for that relative to the industry standards for specification of messages. And then on top of that the specification of vocabularies and terminologies that will be used internal to those messages to ensure unambiguous exchange of information. This is the stack that needs to be achieved in this network, and this is the stack for which we have identified industry standards for implementation and are targeting the ability to have two different organizations handshake over the wire and be able to implement with completely different information systems but be able to unambiguously exchange those data.
A large part of that obviously is speaking to the messages and the common vocabulary for the exchange of this information, and in this regard we have in public health have identified an industry based data model, vocabulary and messages that are derivative of industry standards in this regard, heavily relying on the clinical standards development activities and HL7 activities around the reference information model, as well as the identification of technical standards to ensure that that full stack of interchange is achievable among these different partners. Obviously we are also very interested in interchanging with the clinical care community, and are excited about the opportunities that the National Committee on Vital and Health Statistics is enabling in this regard, and the work of the Consolidated Health Informatics activities to work on industry standards and work on messages that can allow us to interface public health with the clinical care community.
The slide indicates some of the information that we anticipate need to be exchanged, and some of the work that needs to be done. I’m not only identifying and using the industry standards that have been identified as part of these other efforts, but also working on much greater specification for the exchange of these data among participants. And as you can see in the context of public health response there is a lot of work that still needs to be done in terms of some of these specifications.
Finally, and I did talk about this a little bit before, in terms of work on data modeling and data exchange, we have targeted a public health logical data model that is derivative of the HL7 reference information model as well as work that has been done on the public health domain information model which we are continuing to harmonize with the HL7 rim. There are obviously other industry data models that need to be considered and vocabularies that need to be considered in this endeavor, and there’s a place of both accumulation and harmonization of those data models as well as achievement of adequate specificity to implement systems that can share technical components and interchange data with minimized mappings and re-mappings of those data, the idea of achieving the logical data model that can lead to physical database implementations at different organizations, as well as the messages for data interchange is the target for the Public Health Information Network activities.
Where do we stand in regard to achieving these goals? I mentioned previously that there was a great influx of funding for public health preparedness and response, over a billion dollars, $800 some odd million of that coming through a CDC cooperative agreement. At that time the IT functions and specifications that were derivative of some of the initiatives I indicated in my first slide, the work that had been done on the Health Alert Network, the work that had been done with public health partners on the National Electronic Disease Surveillance System, these IT functions and specifications have been attached to those monies and funding was done through them. Since then the CDC Information Council, which includes membership both CDC, ASTHO, and NACCHO, public health partner organizations, has approved the naming of those IT functions and specification as version one of the Public Health Information Network standards and specifications. We have as part of that activity also conducted an external review of those IT functions and specifications by the Garten(?) Group, that review is just finishing up, and the work of that review will be presented at the Public Health Information Network conference which is coming up in the early part of next month.
We are also continuing to build on and coordinate the component activities of the initiatives that have led to the Public Health Information Network including all the ones I mentioned earlier, and specifically Health Alert Network and National Electronic Disease Surveillance System and others, and have initiated some conformance testing and activities around public health preparedness and response activities, for example in the area of smallpox vaccine administration that we hope to expand on in the context of further conformance testing across the different activities I’ve indicated as necessary to achieve this broad interoperable network for public health.
So thank you very much for the opportunity, I believe you want to have questions after the full panel.
DR. LUMPKIN: Yes, we’ll go through the three speakers. At this point, before Jack starts, we’re going to dial in, thank you for joining us electronically.
MS. DAVIES: I’m Jac Davies in the Washington State Department of Health. Thanks very much to the Workgroup for the opportunity to come and speak with you this morning.
I’ve called my talk A State’s View of the PHIN, I just want to emphasize that this is largely a Washington State perspective. It does include some of the opinions I gleaned last summer when we were going through the process of looking at adopting the PHIN standards through the CIC last summer. It also includes some recent conversations I’ve had with a number of other states, but it’s largely Washington’s ideas.
I’m going to give you a little bit of an overview of what we’re doing in Washington to give you a perspective of how we’re approaching notifiable condition surveillance, also just some background on why we believe that information technology standards are important at the state level, what we see as the benefits of the PHIN, some of the concerns that we identified during the discussions last summer in our own experiences, and finally what some of our recommendations would be for the CDC and this Workgroup to consider.
We began, we’ve been actually working on a variety of things associated with NEDSS and HAN since before NEDSS and HAN existed. We had a lot of interest in electronic laboratory reporting, we had an interest in integrated data repositories, and had started on a couple activities before the NEDSS and HAN funding began. When those two programs did begin we made the decision to consolidate them under a single umbrella program called WEDSS, the Washington Electronic Disease Surveillance Systems. We decided that we weren’t going to be real creative with our acronyms, we just changed the first letter of NEDSS and ran with it.
Part of the WEDSS’s approach is recognizing that we didn’t want to have one huge information technology project that was going to try to do everything for everybody in notifiable condition surveillance. Instead we took the approach of having a number of smaller projects, each designed to address one component of notifiable conditions. And as we took that we wanted to make sure we were using national standards so that these projects were interoperable, that was the whole purpose of planning and implementing them together, and so that we would be able to work with systems outside of the state. So we had that philosophy from the very beginning.
This is just the pictorial overview of WEDSS, the idea being that in the notifiable condition system we’ve got all of the elements that actually John talked about in his presentation, the need to collect data from the initial reporter, whether it’s a laboratory, a hospital or a physician. The need for that information to be managed at the local level in Washington as in many state, local health agencies are autonomous, they’re the primary entity responsible for collecting and managing disease events. That we are managing that data in an integrated data repository, and that we are able to disseminate it and analyze it using appropriate tools, and that all this happens over a secure network, a secure system. So this is the umbrella picture of the different elements of WEDSS that we are implementing.
Now I don’t need to talk to this group about why IT standards are appropriate and necessary, I certainly realize that, but I’m going to just emphasize a few points here. One, and in particular, appropriate for notifiable condition surveillance is the issue of data sharing, and all of the aspects of data sharing. Collecting the information from a variety of entities, each with their own kinds of information systems. Being able to distribute data within an organization. We’re not a real large state health agency, I guess we’re about moderate size, but we have a variety of groups, our STD programs, our TB programs, our communicable disease programs, and when we collect data the data has to be shared across the agency. We also of course share information with other agencies, other states, we share it with our local health agencies, and of course with federal agencies, and that sharing is at the individual case record level so we have identifiable information. It’s also at the aggregate level so we can do various kinds of trends analysis. And then we of course disseminate that information back to the data reporters in different formats, to the entire health care system, and of course to the general public.
Standards around the data sharing process really simplify our work. They make it possible for us to go to a brand new reporting entity and set up very quickly a mechanism for electronically receiving the data. They make it possible for us to improve our data quality because we are getting it electronically and we know exactly what we’re getting and we’re getting it consistently. And ultimately they will save money although realistically we all know that the initial process of setting up standards and getting people to use them is not cheap.
Standards of course also support efficient use of resources by being able to make sure that we are using the same approaches, we can maximize the utility of each application, each system that we develop, and make sure that it meets our business needs. We can minimize the cost if we’re using current software engineering practices and implementing those consistently across an organization, we need fewer IT resources or at least a less diverse set of IT resources. And then it’s supportable and maintainable over time. We’ve also had a number of experiences in the last six months that had demonstrated that IT standards can help make it possible to implement new systems quickly, the smallpox vaccination program being one, SARS being another. We’re all well aware that in public health events happen fast, we have to be able to respond quickly and set up new systems. We’ve been living and breathing that with these two events.
We see the PHIN as really providing a lot of the benefits that help address those needs that I just identified. The PHIN really can provide states with a roadmap on how we should be considering developing our information systems so that we’re being more efficient, we’re being more effective, we don’t have to go out and figure out which standards to use, which are appropriate, because we can look to see what’s already been identified at the national level and build those into our models. It also just makes sense. We do exchange data back and forth across state boundaries, we exchange it with federal agencies, previously we have had to do this on a state by state basis, we’ve had to figure out, with Oregon, for example, with Idaho, now with British Columbia, to a certain extent our neighbors in the Northwest, and that’s all been done one by one and it’s different each time, so the standard really facilitate this process. States have recognized this for a long time and have been encouraging and urging and pleading with CDC for a long time to be taking the approach that they’re now starting to take with the PHIN, so we’re delighted to see it.
And then just pragmatically, we really are looking forward to seeing the CDC and the CDC various centers and programs beginning to use common standards. There has been a proliferation of systems, each system very viable to states, each system doing good work, but the cumulative impact is huge because each one is different, each one requires a different support level, a different kind of staff, and I have started over time to call this sort of pain propagation. If you think at the CDC in an individual center, the center that developed LITS(?) for example, the system makes a lot of sense for them, it works well for them, and when you roll it out to states it can work. And then if the state gets multiple CDC applications then the state has to figure out how to handle it, being a much smaller organization. But the ultimate level of pain is at the local level where you may end of having one or two people having to run all these different applications, so it gets more complex and we’re very much looking forward to seeing the iterative development of these different CDC applications using common standards.
We do need to recognize that as with any standardization process there’s going to be some difficulties that we’re all going to encounter, and those are some of the concerns that we’ve identified. In implementing the PHIN we have to recognize that states are in different stages of maturity around their information technology and may not be able to implement all of the PHIN elements immediately or for some time to come. Part of that is driven by the fact that each state has got different policies in place. State health agencies don’t always set and in many cases, most cases, don’t set information technology policies. Those are set at the state level by a state department of information systems or similar system by a state CIO or others, and that may dictate what kind of technology state agencies can purchase. It may dictate what kind of applications, what kind of systems states can run and that may prevent states from implementing particular PHIN standards.
I wrote this slide over the weekend and was sort of patting myself on the back for sending this in early so Steve could make copies for me but then realized the disadvantage is when you want to change something at the last minute you’re stuck with all the handouts already being made. So I made the comment that one of the concerns is that some of the elements are bleeding edge, and that’s probably an over statement, it’s certainly is as John has identified, there are standards that have been selected by industry. However, for public health, which tends to be a little bit slow in adoption in many cases, they’re new to us, very new to us, and they are going to be difficult for us to implement. We have particular concerns with the EPXML that John mentioned, and also the JAVA issue which is identified in the PHIN standards. The issues there for us are not only they’re new to us, we don’t have staff who are experienced in running them, we’ve got resource issues, we also believe that these are going to drive technology choices. And as I said a moment ago, these may not be choices that we’re able to make.
We are also concerned just from the process standpoint, we fully understand that none of us have been able to take the time to do the things the way we want to since September 11th, definitely all of our lives have been fast tracked in public health, and similarly the development and adoption of the PHIN standards have been fast tracked. But realistically there has been minimal state involvement in the identification and the selection of those standards and we believe is going to cause some problems for us down the road.
Finally, on the concerns side, we want to make sure that these standards are not developed or implemented in a way that the only way that states can be successful in being PHIN compliant is to be using CDC developed systems. This is in part based on just some of the history we’re seeing with NEDSS, NEDSS being sort of one of the sources for the PHIN standards, and as I’ve said, I’ve been sort of involved in the NEDSS program from the beginning and watched it evolve over time and watched it evolve from a program that was very much standards emphasized to a program that has certainly still a focus on standards but is also now focused on specific applications developed by the CDC. And I would be strongly encouraging the CDC and this group to recognize that the emphasis needs to continue to be on the standards, not on the development of specific applications, and that we don’t lose the value of one over the driving need to have the other in place.
That leads into my recommendations, and it really is split out two ways. The PHIN is trying to accomplish a lot, the PHIN standards, trying to organize and initiate a massive change across the public health system. John and the CDC have taken on a huge effort here and it’s an admirable effort, but it needs to be an iterative effort and recognize that it’s not all going to happen at once. And I strongly recommend that for external organizations, those outside the CDC, the focus of the PHIN right now be on data exchange and standards associated with that, not on application development, so not trying to specify specific technology and specific application standards for states, but instead to focus on all the different standards associated with data sharing, including vocabulary, how the data gets moved back and forth, and security, which includes the public health director. This is something that we all recognize as a need and we believe more resource needs to be invested into formalizing and getting out the definitions around the public health directory.
Conversely, for programs inside the CDC, we really want to see the PHIN standards focus both on data exchange and application development. As I said, that’s long been a sore point with states is the proliferation of different CDC applications, each using a different technology. So we strongly encourage the CDC to apply the standards internally across the board. And having tried to do that on a much smaller scale I fully understand how difficult that can be, it’s hard to get different programs and different IT shops to all agree to use something the same.
Along the same lines there has to be a realistic timeline and in particular a prioritized implementation sequence for the PHIN standards. We can’t do all this at once so what are the ones we really do need to be focusing on right now as we’re implementing new systems at the state level.
I talked a bit earlier about wanting to make sure that there isn’t a requirement, to be PHIN compliant states use a CDC developed system. But part of that is defining what PHIN compliance means, that there needs to be further understanding of what it’s going to take to fully meet these standards and when do we get the stamp of approval, and that becomes particularly important if the funding is going to be tied to the standards. We have to know what we’re going to be measured against. And recognizing that this is all developmental and we’re in sort of a gray zone right now where we’ve got the PHIN emerging, we’ve got HAN and NEDSS still out there, but we need to start clarifying the relationship between them as well as the other programs that John mentioned. We’ve still got HAN requirements out there, we’ve still got NEDSS requirements out there, and it would help to have a roadmap as to when they’re going to come together into the PHIN and when they’re going to no longer be measured as different programs.
And finally, I put this one in yellow because I think this is my biggest point, states and also local health agencies have to be very actively involved in all aspects of the PHIN standards. This is a system wide change and all elements of the system have to be very, very involved in developing, adopting and reviewing, and in particular governing the PHIN standards. The CDC has made some very good steps, very good strides in this direction, and I would be very encouraging to make sure that that continues. And emphasizing active, active to me includes having involvement up front in identifying standards and not just having a menu presented and saying does this look ok to you. So it’s a different level of involvement that I want to make sure states have the opportunity to participate in.
So with that, actually I think I’ve run out of breath, John is the one with the cold, I’m the one who can’t talk anymore. Thank you very much again for the opportunity.
DR. LUMPKIN: Thank you. We’ll move on to Anne and then we’ll have questions, if anybody has any. I’ve only got four or five.
MS. MURPHY: Thank you and good morning. I’m going to ask you to transition with me a little bit and think about changing the focus every so slightly. I think my presentation is going to ask you to consider in very broad terms the relationship between the public health system and privacy considerations. As we went around the room at the outset we all introduced ourselves, let me reiterate that I am an attorney with the Illinois Department of Public Health, I’m the chief legal counsel and chief privacy officer, and as you might imagine have been busy with those issues and many others in recent months. And want to talk in very general terms initially about the relationship between public health priorities and privacy considerations, then to talk in a bit of detail about the HIPAA privacy rule which took effect on April 14, and I have a method to my madness in wanting to do that because with those two components, with the broad view and with some discussion of the HIPAA privacy rule, there are several considerations, several key issues that this Working Group may want to consider in terms of ways to continue to foster and enhance the public health systems access to individual health information and utilization of that information in an era in which privacy considerations are being given very high priority.
In my view the public health system and privacy principles are at an interesting and critical intersection, and I say this for several reasons that I know are fairly evident to all of you, but let’s walk through them just to sort of think about it in these big picture terms. Public health activities are increasingly prominent and increasingly essential in this day and age because of bioterrorism considerations, because of emerging diseases, for a variety of different reasons that each of us confronts every single day. Those activities from a public health detection and response perspective are dependent upon access to individual health information, and so as those privacy considerations come to the fore the credibility and usability of the public health system depends upon an accommodation of those privacy principles to allow for that access to individual information.
At the same time, and as all of you know oh so much better than I, there is a better technical capability to access health data, as technology improves the ability to access it and the ability to use that data at the individual level becomes better and better. And there is an increased need, in my view, for public health authorities to exchange data with other parties, and by other parties I mean both in the public sector and also in the private sector, and I will elaborate on that in a few moments. And in the context of all of that there is a heightened sensitivity to privacy of health information, not only under federal law but also under state law as well.
Now turning to a few of those general observations I think we’ve already addressed this, both the prior speakers and I, public health activities are increasingly prominent and increasingly essential, and those three examples I think illustrate the point without much additional commentary. Public health activities depend upon, and there should be individual, the word individual, health data, whether we’re talking about communicable disease reporting or about population health assessment which in turn in my way of thinking would include epidemiological investigation, registries, research and laboratories, you are at the end of the day talking about an assessment that starts with individual health information.
Licensure and certification. This is one that I would emphasize because sometimes it gets overlooked as one thinks about the public health system. Public health is responsible in many cases for licensure and certification of health facilities. In order to appropriately do that one needs to have access to individual health information, health information with respect to residence and patients in order to assure that care is properly being delivered, and that licensure and certification standards are being met. Early detection and intervention, vital records, and generally preventing or controlling disease, injury, or disability, all of these are public health functions and all of these require access to individual health information.
In terms of the better technical capacity to access health date, syndromic surveillance certainly has been the topic of much discussion and activity, and as has already been referenced this morning, and I know is the focus of this Working Group, improved electronic linkages with providers and local health departments, and with the CDC, whether it’s at the most basic level through interconnectivity in a rural local health department, or whether it’s at the most sophisticated level, all of that is improving the technical capacity of the system and therefore is improving the potential for the system, not only to better access the data but to utilize that data once accessed.
As to my next point, the increased need for public health authorities to exchange data with other parties, I personally think that this is extremely important. I think the public health system, the traditional public health system if one looks at local health departments and state health departments, needs the assistance of others in order to make the most of the potential of that data, and having those appropriate relationships with third parties, whether we’re talking about third party researchers or service providers or law enforcement or others is extremely important. With respect to third party researchers I will say there are both the traditional researchers in terms of academia and at least in the state of Illinois we have seen other third parties come to the fore interested in doing research as well. Other third parties that may want to access the information include community based organizations and other governmental agencies at the federal, state, and local levels.
In terms of the heightened sensitivity to the privacy of health information under federal and state law, we’ll talk about HIPAA in a few moments. But I think one of the messages I do want to get across is that state law needs to be considered as well because in many instances state law is going to be more restrictive to the access and use of data than the HIPAA privacy rule might be. The HIPAA privacy rule certainly has received a lot of attention and rightfully so, but as we’ll talk about in a little bit, the HIPAA privacy rule is actually very flexible when it comes to the public health systems access to data and is really designed to continue to allow the public health system to access that data and use that data. When you look at state law, and I can only speak with authority to Illinois, if we were to look at the communicable disease code statutes with respect to HIV/AIDS and STD, mental health records, medical studies, registries, facility licensure laws, FOIA and vital records, we would see statutes that can be extremely restrictive and extremely inflexible in fact in certain circumstances in terms of the ability of the public health system in particular to release that information to third parties. And so as we talk about legal constraints certainly lets talk about HIPAA, but lets also focus our attention on what state laws may say.
Now let’s turn and talk about HIPAA for a few minutes before I get to my key issues and observations. HIPAA is in fact, the privacy rule is in fact intended to foster and perpetuate public health reporting. It is in my view fairly flexible in that regard and it is also I believe potentially misunderstood as covered entities, whether we’re talking about providers or health plans or clearinghouses, struggle with the massive change in their culture and in the various things that they need to put into place in order to comply with HIPAA, I do believe there is tremendous potential for the flexibility that is inherent in the privacy rule with respect to public health reporting to be lost in the shuffle.
And let me just quickly talk about some of the aspects of the privacy rule that do allow for that flexibility. Covered entities are allowed to continue to report information into the public health system without individual authorization under a variety of different accommodations within the privacy rule. First, to the extent that it is mandated by state law, and there are some special bells and whistles in connection with certain types of reporting, but as a general proposition I think it is fair to say that if state law mandates that that information be reported into the public health system then it can be so and it can be so consistent with the HIPAA privacy rule without the need for individual authorization.
Public health activities. There is an explicit allowance, if state law authorizes the reporting of information to a public health authority then that reporting may occur.
Health oversight activities. If state law allows access or reporting of individual health information to a health oversight body, which in many instances will include the public health system, then that reporting can occur consistent with the HIPAA privacy rule without the need for individual authorization.
There are a couple of other categories that I don’t have time to go into that may eventually be useful if one is looking at bioterrorism related reporting, those relating to a serious threat to health or safety and to disaster relief. I will also mention, although it’s not on the slide, the need to focus on accommodations for research, although I would caution that there needs to be a clear understanding of the distinction between public health practice, epidemiological investigation for example, that need not in my view meet the more cumbersome research requirements under the privacy rule but rather instead should be viewed as public health activities, and part of that distinction may hinge on whether the activity in question is being done to address a particular health problem or is being done to advance generalized knowledge. Not enough time today to go into that but something that I would certainly footnote for further consideration.
Now going back to a few of these HIPAA accommodations and talking about them in a little bit more depth, or really just sort of identifying categories of state law that may benefit from these accommodations, in our state at least, in Illinois, our communicable disease reporting would fall into the required by law category, no individual authorization is necessary, mandated lab testing, mandated access to information for licensure and certification purposes, vital records reporting that incorporates individually identifiable health information, there is in the mandated by law category, as I alluded to before, some special bells and whistles that need to be accommodated for certain kinds of reporting. In other words there are some specific requirements within the HIPAA privacy rule that need to be satisfied if you want to avail yourself of the mandated by law exception when you’re talking about disclosures for abuse and neglect, disclosures for judicial or administrative proceedings, or disclosures to law enforcement. But having said that I would also emphasize that in fact the HIPAA privacy rule does allow for those disclosures as mandated by law.
Disclosures for public health activities to a public health authority. What I want to emphasize here is that public health authority is defined by the privacy rule, not only to include governmental entities, but also to include non-governmental entities with which a traditional public health authority might contract or to which a traditional public health authority might delegate authority. So if a state health department decides that it wants to delegate public health authority to a third party through a contract, then the HIPAA privacy rule specifically indicates that that third party may be considered a public health authority to which public health reporting may occur without an individual authorization. It’s a component of the law that allows for flexibility and that allows for contracting.
Moving to health oversight, I would point that health oversight contains that same allowance when it talks about what constitutes a health oversight agency. It specifically indicates that a health oversight agency may not only be a governmental entity but also may be a third party with whom that governmental entity enters into an appropriate arrangement. And health oversight is broadly defined to include audits, investigations, inspections, and licensure of disciplinary actions.
In terms of HIPAA constraints on public health activities, really that’s a function of the activities themselves. Which activities of a public health entity may be considered covered or not covered really varies very significantly from jurisdiction to jurisdiction, whether you’re talking state or local. In the state of Illinois we consider ourselves to be a hybrid entity. To state it as directly as I can most of our activities are not covered functions under HIPAA, the vast majority of our activities are not covered functions under HIPAA. We have two programs that we have determined to be covered functions that from a technical legal perspective must meet the requirements of the HIPAA privacy rule, our blood lead screening program and our ADAP program for the provision of AIDS and HIV positive medications. Notwithstanding that, and in large measure due to the efforts of Dr. Lumpkin, we have adopted within our agency a culture of privacy, so we endeavor to achieve privacy to the fullest extent possible consistent with public health considerations but HIPAA requirements are legally mandated only for those covered functions.
In terms of key issues, and these are the four issues that I really want to offer to this group for consideration as you think about the needs of the public health system and the new era of privacy that we are all working within. I think there is a potential for reduction in reporting to public health authorities due to misperceptions and misunderstandings as to the HIPAA privacy rule, and I really would like to emphasize that to this group. As I indicated, and part of the reason I took the time to walk through some of the particulars with respect to the HIPAA privacy rule, the privacy rule in my view, and I think in the view of those who have studied it from a public health perspective, is flexible and was in fact successfully designed to allow for continued public health reporting and continued use of that information. But there is a tremendous amount of discomfort in the provider community at this point in time, tremendous potential for the baby to be thrown out with the bath water for hospitals and nursing homes and health plans even to knee jerk and say sorry, we just can’t do it, HIPAA doesn’t allow for it anymore. And therefore I think there should be strong consideration of an intensive education and communication campaign to the appropriate constituency groups, to the provider associations, to state legislator associations, AG offices and the like, to say no, in fact that is not the case, in point of fact HIPAA does allow for these things to continue to occur. We have undertaken such a campaign in Illinois and I think nationally certainly in other jurisdictions, there may be some benefit from that as well.
For those of you with a particular interest in this topic, if you don’t know about it already, there was a very good article in the April 11 issue of MMWR that talks about HIPAA privacy rule considerations in relation to public health and reflects joint guidance from the CDC and DHHS on that topic. There are some specific things I would emphasize if I were embarking upon that educational campaign in terms of flexibility with respect to satisfaction of the minimum necessary standards and flexibility with respect to the accounting requirements within the HIPAA privacy rule.
The second observation I would make is that in my view the time is ripe to have an open and public dialogue in order to facilitate innovative but appropriate data relationships between public health authorities and third parties. And remember here, I’m an attorney, I’m talking about contracts in large measure. I’m talking about coming up with documented relationships between the traditional public health system and third parties in order to expand the potential for use of that data, the potential to analyze the data, the potential to research around that data and take that data out into the field. And in that regard I would say that, as I said before, HIPAA may be more flexible than some state laws and so perhaps some of those state laws need to be reevaluated.
I also think that at a national level the public health community would benefit from some concrete discussion and maybe some model contract development around agency relationships that public health governmental agencies could enter into, what kinds of contractual arrangements could be standardized or could model agreements be developed around with appropriate confidentiality provisions built in, and I think there could be some model contract development. Those would need to be tailored to state law, but I think it would get that issue our for discussion and I think the public health community would benefit from it.
My third recommendation has to do with bioterrorism, and the fact that there is so very much going on right now in the context of bioterrorism preparedness and response, on so many different levels. But while there’s a lot going on and a lot of it is extremely positive in terms of moving the system forward, and I would point out that forensic epidemiology is one area where there’s been substantial effort, the CDC has a very intensive national campaign underway to bring together the law enforcement and public health communities in order to educate both constituencies about how you could put together a forensic epidemiology program. I will say once again that this is an area in particular where state laws may be rather inflexible. Our communicable disease code in Illinois says, and Dr. Lumpkin and I were talking about this this morning, you shall never disclose this data ever to anyone under any circumstances, including but not limited to pursuant to a court order. Well working with that in the context of forensic epidemiology is extremely difficult. HIPAA allows for it if you jump through the appropriate hoops but state law may not, and therefore I think there needs to be some attention given to that state law inflexibility in order to create the fullest potential for that interchange of information between the public health and law enforcement systems.
My final recommendation for consideration has to do with considering the increased pressure for specific health information from the media and the public in an era of bioterrorism, West Nile, and SARS. The public wants a lot of specific information and the media is more than happy to pursue diligently on their behalf, and that creates a particularly strong tension between the needs of getting information out to the public for public safety purposes, and the traditional sensitivity of the public health system to the privacy of individual information. And if you think about SARS I can assure you I have had specific conversations about this very topic numerous times over the last few weeks, how much information will you give out about the gender, the age, the date of onset, the geographic location of those who are suspect cases, and recognize that the way that those judgment calls are being made is varying quite significantly from jurisdiction to jurisdiction. What is going on in our state in terms of the release of information is not what is going on in another state, it may not even be what is going on in a local health department within our borders. So that issue needs to be considered. FOIA laws, state FOIA laws can be rather vague on this topic which is sometimes helpful and sometimes not, and FOIA laws it seems to me could be examined if one were to delve into this topic in a little bit more depth. I have a somewhat cryptic reference to litigaters in organized labor because they can be our most diligent pursuers of information aside from the media, and there are some special sensitivities that need to be addressed by the public health system in responding to those requests. But I think ultimately my recommendation here would be that the public health system should strive for consistency in the level of detail that is being offered, after giving consideration to both the privacy and the public safety considerations, and that that is a discussion that perhaps could be had on a national level. Certainly state laws need to be accommodated, but in terms of endeavoring to achieve some consistency around the extent of disclosures, some recommendations about what level of detail is necessary in fact in order to protect the public health may be a worthwhile effort.
That concludes my remarks and I thank you for your time and attention.
DR. LUMPKIN: Great. I’d like to thank the panel for staying on time and helping us keep our tight agenda. We now have time for questions, and I will make an observation and perhaps start off with a question and then turn it back over. It seems to me that the two states represented and the CDC all happen to be engaged in a common activity beginning the second week of May, so the question is to what extent do you believe that the systems that are being put in place will be tested during TOPOFF(?), and evaluated, to the extent that you know. For those of you who don’t know, TOPOFF stands for top official drill, it’s a Congressionally mandated test of the ability to respond to a terrorist event, and it’s scheduled to begin May 10th with a bioterrorist attack in Chicago, spreading to Canada, and a dirty bomb in Seattle, so that’s the reason why the two states who just happen to be here are involved, and the CDC’s a player, too.
MS. DAVIES: In Seattle we’re in some ways rather fortunate that it’s a dirty bomb scenario because we have years and years of experience in planning an emergency preparedness around radiological events, we’re the state with Hanford(?), and so in our agency we have a radiation protection program that’s done quite a lot and they are actively involved in the work for the Seattle TOPOFF exercise. There was initially some thinking about including a passenger from Chicago coming into C-tack(?) to just let us dabble our toes in the BT event, and then we decided to not do that because we thought that the dirty bomb, there’s going to be a cyber attack, and a couple other things going on and it was just getting a little ridiculous. The things that we’re talking about under the PHIN and the Health Alert Network and so forth we’re not planning to bring into play as part of the Seattle exercise, as I said we’re going to be relying on the existing systems that were in place for radiological events. I don’t know what’s, I haven’t been involved in the planning, I don’t know what’s going on in Chicago.
MS. MURPHY: Well, I can speak primarily to the sense that TOPOFF will test our legal authorities in connection with reporting and utilization of the information. In Chicago we’ve developed a legal team that has pulled together federal, state, and local attorneys and we’ve anticipated the issues that we think are going to be raised during the exercise. We’ve also selected a few of those for special consideration and evaluation, and one of those that we selected has to do with the legal capacity of providers to report information to the public health system and also to report information to law enforcement. And we did that intentionally knowing that the exercise was going to be coming on the heels of the effective date of the privacy rule and we thought that it would be an opportunity for us to reinforce the message that we already want to get out which is yes indeed, you should continue to report this information as appropriate. Where I think things could get interesting is in the area of forensic epidemiology. The FBI is playing very, very actively in this exercise, and is looking forward to the opportunity to do a trial run on some forensic epidemiology with our local and state public health department staff, and I think we are going to work through some issues with respect to the extent that federal and state law allow for that to occur.
DR. LOONSK: I participated in TOPOFF one and if that’s an indicator, because it’s oriented, TOPOFF has been at high level offices and simulation it didn’t really get to the level of actual implementation that many of the information technology issues are actually exercised, and maybe TOPOFF two will be different, but I suspect at some level it’s going to cruise above some of where the rubber meets the road so to speak.
DR. LUMPKIN: Thank you. Other questions? I’ve got a whole list, so, Bill?
DR. YASNOFF: Jac, you mention in your talk that you thought it would be good if CDC focused more on standards for external organizations rather than application development. And I may be, correct me if I’m taking your comments incorrectly, I think one of the concerns at CDC is that clearly speaking from Washington, you folks have the capability of building software packages but not all states have that, and so I think one of the concerns at CDC, and John you may want to comment on this as well, is that there’s an issue of helping those states who really can’t or won’t develop software with software packages. And so I wonder if in the light of your recommendation if you could comment on what you think the direction should be to meet the needs of those states who really are not in a position to develop software.
MS. DAVIES: Let me just clarify my initial comment, that in terms of the standards, within standards I would recommend a focus externally on standards around data transfer, and less on standards around application development. But I also believe, my seceding comments then on cautioning the CDC about having the PHIN process change into a process that’s focused on application development. I fully recognize the rock and the hard place, and as I said having watched the evolution of the NEDSS process, the CDC was very, very strong on standards at the beginning and that’s what states wanted and then states began saying we don’t know how to do this, we don’t know what to do with this information, we don’t know how to turn it into applications, can you help us, and that was the genesis in the NEDSS base system. So states certainly have asked for help in application development. The problem is that for somebody else to try to develop an application, this is not unique to the CDC, if we try to develop an application for a local health agency we run into the problem that we don’t really understand the locals business. It’s just the fact we don’t live it. And we’ve seen the same thing with CDC developed applications for the states. It’s difficult for a federal agency to fully understand and to address the business needs of a state agency.
Another model might be for state consortia to do joint application development, as is beginning to happen around laboratory information management systems, with the Association of Public Health Laboratories taking the lead on developing business requirements for states that states can use either to turn over to contractors or to do their own development. Similarly, the NCHS and NAPHSIS are working with state registrars to begin the development of business requirements for electronic death registration systems. That seems to be a model that certainly has a lot of advantages to it and although it’s a new model maybe one that would play out in a way that really could result in functioning state systems.
DR. LOONSK: Bill’s comments are very apt, that there are many states who are not as able as Washington State to develop systems, and there is a need for a safety net to support those states and local public health agencies. We are strongly committed to allowing for standard based systems that aren’t CDC developed to work in this network, and that is our commitment that we will continue to reiterate, and I think that part of this also can be, we can make progress in in terms of the transitional software that identified, which is more functionally oriented where component pieces of software, for example, to increasingly integrate complex systems, can be shared and that those don’t necessarily dictate particular business requirements about they’re used but enable the implementation of those standards.
DR. LUMPKIN: Ok, follow up on that and then Eduardo. Ted’s going to just follow-up.
DR. SHORTLIFFE: This is very directly related to what was just being spoken about. I’m trying to read between the lines in this comment and concerned a little bit. It seemed to me you were adding a concern that PHIN compliance would somehow or another be linked to use of applications rather than simply adoptions or integrating properly with the standards that might come out of this kind of a development activity. Wasn’t that also a point that you made? And I just wondered to what extent that in fact is something that’s been happening. Are you feeling that Washington is under some kind of pressure to adopt applications that are CDC promulgated rather than to participate in the standards development and then to make sure that the systems used are compliant with such standards?
MS. DAVIES: It’s a little early to say for PHIN, but to prior experiences, just give us pause. One is around NEDSS and the development of the NEDSS base system, and as a non-based system state, in order to make sure that we are able to send data to the CDC for example, in order to make sure that as we, what are called the PAM’s are rolled out, the programs application modules that are going to be developed to fit into the base system that are specific to CDC programs, the plus of this is getting those programs organized so the new TB system, the new STD system and so forth that are rolled out to states will be essentially modules of the base system. Well we’ve got to run those, and we’ve got to make sure that those will nest into the system we’re developing, and our comfort level right now is not real high that that’s going to happen. So that’s the first example.
The second is more recently with a smallpox vaccination program, and the PVS system, the CDC developed system to support that. Again, we did not go with that system, we went with a vendor designed system, and have had some difficulties trying to make sure that we’re able to send the data. Both systems built to the standards, but again this group, don’t need to go into the difficulty of defining and implement to standards, it’s a learning process and I just wanted to raise the flag early on that we’re not all going to go down the same road, we don’t want to be pushed down the same road.
DR. ORTIZ: Ms. Davies made a comment, I guess her last thing which was in yellow so it struck me, assure active state involvement in development, adoption, review, and governance of PHIN standards. And so when I heard that, my question I guess is more to the CDC, but also you may want to respond to this, I wasn’t sure if that meant so much that you were concerned that this hasn’t happened, or you just wanted to put that out there, so my question is really more to the CDC saying up until now, how much of all these things that have been developed have been mainly at the CDC level versus who else has had input in these systems, and just from CDC’s perspective, how much involvement do you think you have given to local and state public health officials, maybe even practicing clinicians, patients, etc., to make sure you’re getting enough input from the stakeholders to make sure that they’re concerns are being addressed?
DR. LOONSK: The processes for NEDSS and for HAN to involve state and local health departments were relatively informal, so there was a history of involvement and activities in that regard. They led to specific standards and specifications, the fast tracking that Jac alluded to was around the bioterrorism monies. There was about to be over a billion dollars that went out, over a third of which was targeted to be used for information technology development and it was going to be implemented and passed out without guidance as to the technical standards for that implementation. So in that fast track setting we took the standards that had been developed in those relatively informal processes for NEDSS and HAN and almost exclusively used them to develop the technical specifications that were attached to that cooperative agreement.
Since then we have established a more formal structure for how both the data standards and the technical standards will have stewardship by the public health partners as represented by ASTHO and NACCHO, and by CDC in the context of committees off of the CDC Information Council. So we feel that the process is more formal, we recognize the fact that in the process of trying to bring order to the bioterrorism funding that was going out the door, that it was fast tracked but we feel now in the context of the technical review on the technical standards and the stewardship by these representative groups that we have achieved a better and more formal process for the future.
DR. LUMPKIN: And I should point out that this Committee did, the NCVHS did send a very strong recommendation to the Secretary that those funds be expended in the standards based way. Richard, for the final question before the break.
DR. HARDING: Very good panel, and thank you all for being here. Several of you mentioned this issue of public access to information and it was brought up about privacy protection versus public safety and so forth. The final one though was to me public misinformation. How do we deal with that? Because you watch the war and people get these dribbles coming out about something and then get “experts” who come up with ideas about what that means and so forth. How do we avoid catastrophe’s so to speak by public health information becoming public in raw form before it is refined by the experts? What’s the policy there? How is that going to work?
MS. MURPHY: At the end of the day I think it’s not a legal question but I’ll give you an attorney’s perspective on it. Part of the challenge it seems to me, I wish there were a chief information officer here --
DR. HARDING: Like Baghdad Bob you mean?
MS. MURPHY: To lend some practical perspective to this, but I think one of the challenges is coordinating within the public health system how that information gets out and achieving coordination among components of the public health system to have the goal not be which jurisdiction gets the information out first, but to have the goal be how do you get the information out best in order to serve the public interest. And sometimes that means that if you think you’ve got the, in sort of the reality being what it is, if you feel that you represent the agency that is best able to give a balanced perspective, and is best able to process the information at hand, then unfortunately it’s going to be important to try to get there first. That’s a little circular, but I think it is the, I think John knows what I mean, it is incumbent on the public health system and I’ll take Illinois as an example, the Illinois Department of Public Health, if it sees an issue that is a moving target, if it sees a SARS or a West Nile, and it recognizes that there is the potential for misunderstanding, is someone other than we is taking that information and speculating off of it, it’s incumbent on us to get a balanced message out there first I guess is what I’m trying to say in a roundabout way.
DR. LUMPKIN: Ok, I do have a number of questions, I’m just going to ask one that if perhaps John you could give the information to the Committee a little bit later and then we do have to move into the break. And that is the Secretary testified, I think it was about two weeks ago in regards to the spending out of the funding for bioterrorism and some concerns about the degree at which that spending is occurring. I was wondering if you could provide us with some information to the extent that some assessment of the state spending on the information systems, if 30 percent of the funds are being allocated for information systems, do we think that that in fact is happening? Are there delays that may be occurring at the state level that ought to be addressed? I think over half the states have new governors, new administrations, and I suspect that there may be some areas where we ought to or we could as a Committee in our next meeting urge greater attention to implementing this important infrastructure if we had some data on that.
DR. LOONSK: The one third number was the projected number, and in terms of getting the Working Group numbers specifically on how that has played out relative to the issues about expenditures of the funds we can work to provide those relative to IT funding. Obviously as a general issue, there have been, the expenditures of funds have been problematic at times, we know that IT contracting and implementation is not the most streamlined in all circumstances, so it is a particularly pointed question.
MS. DAVIES: The fact that, just point out, that has been a huge issue for discussion in ASTHO and just to please recognize that the contracting process at the state level, including transferring funds to local health agencies is one that may not be showing up in the HHS sights as much as it should. We’ve committed all of our funding to local health agencies, the proportion that’s going to them, it’s obligated to them, they’re spending it but it’s not showing up as spending in HHS records, so just keep in mind that there’s some different of opinions between states and HHS on how much money has been spent.
DR. LUMPKIN: Understanding that, but I think the issue, and my understanding is that the expenditures for the information infrastructure primarily tends to be a state expenditure, and so we should have better records in that than other aspects of the bioterrorism infrastructure.
Let’s take a short break, we’re scheduled to return at 10:30. I’d like to thank the panel very much, it’s got the morning started off with the right approach.
DR. ZUBELDIA: -- you mentioned in Illinois you have a culture of privacy and most of your functions are not covered entities as a function under HIPAA. The question I have is what kind of legislation or regulation or statute cover the data transfer of to a public health authority after a HIPAA covered entity sends it to you, it could be state regulation, it could be local, can you tell us a little bit about that?
MS. MURPHY: I’m going to repeat the question and my apologies, it was a little bit difficult to hear it through the speaker phone with a mic point up next to the speaker phone. I think, I’m speculating that you were asking whether in effectuating a culture of privacy within our agency recognizing that very few of our functions are actually covered by the federal HIPAA requirements, how in fact we are doing that and how state law may play into that. Is that a fair summary of the question?
DR. ZUBELDIA: [Inaudible.]
MS. MURPHY: Well, what we did essentially is to piggyback off of the things that we needed to do in complying with HIPAA, so HIPAA would require you to do all of the following, to appoint a chief privacy officer, to undertake appropriate education of staff, and in our agency we decided that in order to effectuate a culture of privacy and mean it we were going to educate each and every employee within our agency including contract employees as to the privacy requirements. And we have in fact done that, over 1,000 employees were educated as to the HIPAA privacy standards and other privacy requirements. We have a centralized committee on HIPAA implementation within our agency and we have a privacy liaison now who sits on that committee and also represents each of the major program areas within our agencies, so we have the interface of information back and forth as it relates to privacy standards. We have a privacy directive that Dr. Lumpkin executed that imposes upon personnel adverse consequences if they don’t adhere to our privacy requirements. And we have detailed policies and procedures that are both HIPAA compliant and also implement privacy standards outside of our HIPAA mandated functions to the extent that we believe that those are appropriate. We have a working group between governmental agencies and the private sector so that we can exchange information with the private sector with respect to privacy requirements. And as state government we undertook the development of a draft preemption analysis in order to determine which laws within our state might conceivably be preempted by HIPAA. And if you take all of those things together what we have done is have a narrow band of activities that are technically compliant with HIPAA and a much larger band of activities that we bring into compliance with the principles imbedded within HIPAA to the extent that we reasonably can. But if we reach the conclusion that technical compliance with those HIPAA standards would impede public health services and function, and we are not required to comply with HIPAA, then we very carefully and very narrowly decide not to. And of course implicit in all of that is that if our state laws are more stringent with respect to privacy then we comply with those laws.
DR. ZUBELDIA: [Inaudible.]
DR. LUMPKIN: The question is is the situation in other states similar to Illinois, and Jac maybe you might answer for Washington.
MS. DAVIES: It is, and that it sounds like that we’ve gone through a lot of the same processes. We have also come down to identify ourselves as a hybrid entity, we only identified really one activity associated with our newborn screening program that we concluded was absolutely met the definition of requiring HIPAA compliance. We are taking the same philosophy of promoting the HIPAA provisions throughout the agency, but we are putting the emphasis on the part of the agency that’s going to require the technical level of compliance.
MR. BLAIR: First I wanted to express my appreciation for the testimony of everyone, I learned quite a bit and I found it very helpful. One of the things that I was sensitive to, though, was that I think the folks in this room, many of which have been part of the development and recommendations for the privacy regs of HIPAA are very much aware of the purpose and the conversation in this room, if it is taken out of context, may have lost the purpose of the privacy regs of HIPAA. And I just wanted to indicate that while the conversation today was focused on the flexibility that allows information to be available for public health purposes, the purpose of the privacy regs is to protect personnel health care information and a lot of things were included in that regulation to do that and that the discussion in our meeting was only that portion of the privacy regs which were intended to not impair information available for public health, but that it’s purpose was not to facilitate that.
DR. LUMPKIN: Thank you. We’re going to now take a break, we’re going to take about a ten minute break, and by my clock that will have us getting back about 10:35 or so.
[Brief break.]
DR. LUMPKIN: I would like to welcome the panel and ask you to introduce yourselves so that the folks on the internet can hear your voices and associate them with a name. Gail, if you’ll start.
MS. WILLIAMS: Good morning, I’m Gail Williams.
MS. O’CONNOR: Good morning, I’m Lilly O’Connor.
MR. HOPFENSPERGER: Dan Hopfensperger, program manager for the Wisconsin Immunization Program.
DR. MEARS: Greg Mears with North Carolina EMS.
MR. EDMONDS: I’m Larry Edmonds from the National Center on Birth Defects and Developmental Disabilities
DR. LUMPKIN: Great. This is a panel on improving reporting from primary sources to registries, and we have a full spectrum of, not a full spectrum but a cross section of registries that operate within health agencies. We’ll start off with Gail. Thank you.
MS. WILLIAMS: Good morning Chairman Lumpkin and distinguished members of the National Committee on Vital and Health Statistics, National Health Information Infrastructure Workgroup. I’m Gail Williams. I’m the acting chief of the Immunization Registry Support Branch in the National Immunization Program at the Centers for Disease Control and Prevention. Thank you for inviting me to speak with you this morning about immunization registries, tools we believe that can ensure continued successful delivery of one of our greatest public health achievements, vaccines.
Today I will discuss the status of immunization registries in the United States and the challenges that we are facing. I will then make recommendations to the Committee for your consideration on how to improve the situation.
We at CDC’s National Immunization Program believe that meeting the ongoing challenge of vaccinating the 11,000 children born on the average each day requires the development and implementation of community and state based immunization registries. Registries are confidential information systems that track childhood immunizations.
Ideally after obtaining consent a child is enrolled in an immunization registry, possibly through linkages with electronic birth certificates or at first contact with the health care system. Data are recorded at enrollment and are electronically transferred to populate the registry’s database.
At each immunization encounter, the child’s history is located in the registry’s database with the help of patient identification algorithm, and downloaded to the provider’s fully integrated, computerized information system. The provider can have confidence that the record is complete and accurate, as the registry will have assembled all immunizations the child has received regardless of when or where they were administered.
The registry will add value to the provider’s practice by providing automated decision support, reminder/recall notifications, and official documentation required by schools, camps, and day care facilities.
Is this scenario too much to hope for? We don’t think so. In fact, we have developed a Healthy People 2010 objective to have the immunization records of 95 percent of children in the United States in a fully operational immunization registry.
Currently, all of our 64 grantees that receive federal immunization funds, that’s 50 states, six large cities and eight territories or commonwealths, are developing or implementing immunization registries, and 31 percent of U.S. children are currently in an immunization registry. CDC is committed to increasing this percentage, and since 1994 has allocated $262 million dollars for immunization registry development.
Four areas continue to challenge immunization registry progress. These are ensuring the confidentiality of registry information and the privacy of registry participants. Ensuring the participation of all immunization providers and parents. Ensuring appropriate technical functioning of registries to enable high quality data collection, use, and exchange. And ensuring a sustainable funding stream for continued immunization registry support.
In an attempt to overcome the registry privacy challenge, we developed minimum specifications and implementation guidelines in collaboration with privacy experts and registry stakeholders. In 2000 the National Vaccine Advisory Committee approved these guidelines, which recommend written confidentiality policies that are consistent with applicable state, federal, and local regulations, and written authorized user agreements. Parental notification of the registry and the option to choose whether to participate. Use of registry information only for its intended purpose and specification of who has registry access and to what information that access provides. Defined penalties associated with unauthorized disclosure of registry information. And specification of the length of registry date retention and what will happen to the data at the end of that period.
Perhaps our biggest challenge is creating provider demand for registries. Focus groups have indicated that one barrier to participation is concern about the adverse impact that a single focus information system could have on office practices by requiring multiple record systems and duplicate data entry. Consequently we are working with software vendors and standards organizations to add value to their products by creating immunization registry interfaces.
We believe another stumbling block for provider participation is the quality of registry data. To improve quality we developed a set of test cases that allow us to measure the sensitivity and specificity of de-duplication algorithms currently used by registry developers to uniquely identify registry participants. In addition, we are pilot testing a process that compares provider-verified immunization histories collected in the National Immunization Survey with immunization registry records. Preliminary results indicate that this methodology will enable us to assess the quality of registry data by evaluating it against “gold standard” clinical data.
We also must ensure that registry data are used to improve the effectiveness and efficiency of our immunization programs.
Registry participation offers multiple incentives to providers and parents, including increases in immunization coverage and improvements in office efficiency. Registries have also been used to identify clusters of vaccine-associated adverse events, to identify and re-vaccinate children who received immunizations from sub-potent vaccine lots of inadequate dosages of vaccine, and to monitor the implementation of new vaccine recommendations.
Oregon’s registry data were used to assess the impact on hepatitis B vaccine administration after recommendations were made to postpone the first hepatitis B vaccine dose until two to six months of age in infants born to hepatitis B surface antigen-negative mothers. Registry data indicated a 93 percent decrease in vaccine administration during the six weeks after the recommendations were made. This is one of many examples of how registries are meeting state and local public health needs.
Since 1993, the National Immunization Program has encouraged the development of community and state based immunization registries that meet local needs. While flexible, this approach has resulted in registries that differ in functionality and operate in different electronic environments. To facilitate registry development and enable secure data exchange, core data elements, vaccine codes, technical functional standards, record exchange guidelines, and certification processes have been identified and developed by CDC in conjunction with our partners, including the National Vaccine Advisory Committee. These long standing conformance efforts are directed to promoting a single, national platform independent standard to link immunization registries with each other and with other information systems.
This slide, based on self-reported data, shows progress being made by registries at achieving some of the functional standards. Some of these functional standards are privacy and confidentiality, reminder/recall, exchange of information using the HL7 standard, information available at the time of encounter, and being able to process within four weeks of administration. Records created within six weeks from birth and including all National Vaccine Advisory Council core data elements. No standard has been achieved by all of the registries, nor has any registry yet achieved all of the standards.
Although much progress has been made in developing a nation wide network of community and state based immunization registries, much work is required before reaching the 2010 objective of increasing to 95 percent the proportion of children in a fully operational immunization registry. You can help us reach this goal by promoting registries at every opportunity as an integral data driven component of an immunization program, acknowledging the critical role that immunization registries can play as a backbone of the public health information infrastructure. Demanding the adoption of national standards. Specifically, the publication of the HIPAA claims attachment transaction that applies both the HL7 and X-12 standards will catalyze software vendors and others to make their systems compatible with the appropriate clinical data. Help us educate our provider community on HIPAA disclosure to assure providers are confident with the immunization reporting. Support Vaccines for Children Program funds for registries to ensure a sustainable funding source. And increase the accountability of registry resources at the federal, state, and local levels.
I hope that this background on the status of immunization registries and the presentation on key challenges facing registries and recommendations to improve the situation have been useful. Thank you again for the opportunity to testify, I will welcome any questions when the time is right. Thank you.
DR. LUMPKIN: Thank you very much. Dan?
MR. HOPFENSPERGER: I’m Dan Hopfensperger, I’m the program manager of the Wisconsin Immunization Program, I appreciate the opportunity to speak with you about immunization registries. In our opinion, immunization registries are key to us reaching the immunization levels as Ms. Williams outlined in the health objectives for the year 2010. In Wisconsin the public providers, the public health providers in the state of Wisconsin give approximately 30 to 35 percent of the immunizations will the private sector does approximately 65 to 70 percent, so the WIR is one of our collaborative efforts in working with the private sector to improve immunization rates, not only in our children but in all populations. And we understand that without those collaborative efforts we won’t be able to reach those goals.
I like showing this in this slide at the beginning of our presentations on the registry because to me it shows a good example why we need immunization registries. We did this as part of our implementation of our working towards a GIS mapping device, and what this shows is children or individuals that have received at least one immunization from the Dane County Public Health Program which is within the southern part of the state, the largest confluence of green, and this shows where the individuals are living at the present time. It shows you that they don’t stay where they usually are, they move all over, and that gives you an idea of why we need immunization registries. Because in moving they have multiple providers, and parents don’t always keep good immunization records, so without an immunization registry the provider either needs to delay the immunization to figure out what the child actually received, or they need to start over. And neither one are acceptable as far as we are concerned when we have the ability to determine what an immunization level is on an individual. It also as far as one of the things that we show of people going to northern Wisconsin where many of our hunting and fishing activities occur and there is an accident and where they need a tetanus immunization, it is a good opportunity to determine what was previously given.
Unfortunately time does not allow me to show you some of the other, the great functionality that we built into our system and other registries have built into their system regarding forecasting. So for instance, when you look at what an individual has previously received, based on the ACIP schedules it will make recommendations to the provider as what there should be given on the present visit or future visits. It also allows providers to do reminder recall, that if a person is due for an immunization they can re-send out a reminder notice for the child or the individual to come in for that immunization, or if they missed the immunization for a recall notice. We also give some of the things as far as inventory control, that if the immunization registry is used as intended, when they get new vaccines into their inventory they can add it to the registry and as they give immunizations it will deduct from that and it will give them idea as to when they should order more vaccine. And then it also gives us the opportunity to do immunization level assessment, not only for the private practice but for the entity, say the county, the city, the local health department jurisdiction.
This is the first screen that one would enter when they come into the immunization registry and it is a total web-base immunization registry. The data is encrypted when it is sent out or exchanged between the registry and the provider and we it’s password protected, so you have to be an authorized user and we have user agreements, not only for the organization but for individual users, the organization needs to send those agreements to us and then they must keep the individual user agreements for each of the individuals within their program that uses the registry, they need to keep those signed user agreements within their organization.
We get vital records downloads from our health statistics program. We get those downloads on a bi-weekly basis and the files are updated on a weekly basis, for instance if any information within those record change. Our system is an opt out system, when a parent gets the opportunity to opt out of the system, both when they sign up for their birth certificate they are informed that their data will be loaded onto the immunization registry and if they choose to not participate they ask for a form and they send that information to us and we take them off the registry. The other opportunity they have to opt off the system is each time they present to their individual immunization provider. In addition to that we have ongoing meetings with the Wisconsin Immunization Registry staff and our vital records staff, to make sure we’re just keeping up to date on the things that are, the nuances of the programs and such.
By and large, because of our vital records downloads, the information, the infants are most likely to be on the system by the time they are seen by their health care provider so the data entry is minimal as far as demographic data. The other use of, just one other of the uses of having this information is it gives us a good idea as to population based immunization levels as we get a little more penetration into our, when we have total populations within the system.
We’ve been working on the immunization program, on the registry, or we implemented in the fall of 1999 and then when state implementation in the spring of 2000, so to a certain extent we are in our infancy as far as implementing the system. Wisconsin has a population of approximately five million people. Our birth cohort is approximately 68,000. It is a birth to death system. Our primary focus is on infants and children but we include all immunization records within the system.
We have 2.5 million clients within the system, many of them are from birth downloads, however, we have over 17 million immunizations within the system in that short period of time. 5,000 immunizations are entered into the system either through inventory where they enter the immunizations as they give them or through historical immunizations that are electronically downloaded and I’ll discuss that a little bit more later. We have over 500 providers on the system at 1500 sites. When we bring on a provider we call, say for instance as a large health entity, a clinical practice, we will count them as one provider but they may have multiple offices or health care providers within that system. We have over 7,200 users, at any one time we have over 1,000 users accessing the WIR at any given time. We have also allowed schools to use the registry and we have over 1500 schools using the data on the registry. We do not allow schools to enter data, it is look up access only. The reasons we have done that is because we have concerns about data quality from the schools, it is in our opinion, and from the studies that we’ve seen it’s fine for monitoring as far as immunization levels regarding the law, however we considered the registry to be a gold standard and unless we’re absolutely sure that that data is accurate, we will not put it in the registry and there are other concerns regarding the Family Educational Rights Privacy Act as far as the use of that data within the system.
This gives you an idea of the number of children that we have within the Wisconsin Immunization Registry, we started the birth downloads in 1995. So prior to that the only way we would have them on the system is through the enter of immunization records, so that explains why we have 100 percent of immunizations, 100 percent with immunizations prior to 1995. However, I think what’s significant about that prior to the 1995 again considering that our birth downloads, our birth cohort is approximately 68,000 children, we are getting pretty good penetration with the registry as far as, and to the private provider in public health sector. Post 1995 as you can see as far as our penetration and again we’re doing pretty well there but we still have a long way to go.
One of the things that I was asked to talk about is some of the things that we do within the Medicaid program, and this just gives you an idea since 1990 the number of children of clients on Medicaid that are on the system and those with immunizations, then the percent that have immunizations and the average number of immunizations per client.
The interface solutions that we have talked about and some of this was discussed by Dr. Loonsk, is in one of the things that we have tried to do and I want to reiterate what Dr. Loonsk said is we need to avoid the double entry of data if at all possible because providers, especially in the private sector, are not going to participate if they have to enter the data more than once. So we have tried, and we needed it to be flexible how we obtained that data or how we exchange that data back and forth. And the way we’ve done that with a majority of our providers is through a flat file ASCII transfer of data that they download into our system. And we can do that on an ongoing basis or a one time basis to get all their immunization information into the system. We’ve entered again, over 500 to 600 private providers historical information into the system using this fashion. We also have the health level HL7 standard that were developed by CDC, and our system is HL7 compliant. Our immunization registry either meets or is close to meeting the functional standards as described by CDC and as described by Ms. Williams.
The interface solutions, the interface options that we have are single direction from the provider where they can download all their information through the flat file transfer and then anytime they want to look up an immunization record they can just do it by entry into the system. The other option is a single direction to the provider, where they enter all the data into the registry and then we take a flat file, transfer off of that, and send it back to them for entry into their billing systems or to their electronic data systems. And then we have the bi-directional to any authorized user and that is primarily through the HL7 standard. It is by this that we have another privately run registry within the state of Wisconsin that we interact with the HL7 standard. We are also in the process of developing, and again, most of the downloads we do right now or the transfer of data is done a batch download basis because that’s how the providers that we work with wanted it, but we also have a number of providers that are going to electronic medical records, and they don’t want to have to enter their system and exit out of their system to go into ours to figure out what the immunization records are so we are in the process of developing a real time interface with electronic medical records. So their electronic medical record will immediately go to ours to look at what immunizations we’re giving and download that information into their system.
I need reiterate Ms. Davies from Washington was saying as far as the HL7 standards are concerned, because in my understanding there will not be a national based registry, only a number of state based registries that will talk to each other using the HL7 standard. However, one thing that needs to be taken into consideration is the different requirements that may occur by individual states as far as their vital statistic requirements are concerned, and we’re trying to do some of those things with our bordering states but we need to take into consideration, and as she stated, on a state by state basis as far as sharing that information and it is not as easy as just making a phone call, there are different requirements that have to met.
As far as collaboration with Medicaid, our collaboration with Medicaid actually started during the ’89-’90 outbreak of measles, the measles outbreak of ‘89-’90. Measles were primarily occurring within the Medicaid eligible individuals so we figured out that it was to our benefit and to their benefit to work together to improve the immunization registries of not only Medicaid eligible people but all people within the state of Wisconsin. At that time we were all part of the same division, in 2000 there was a reorganization, then the Division of Public Health and the Division of Health Care Financing, but we are still within the same department.
Our collaboration on the registry began in 1995 where they assisted in the scoping and analysis document and then in the fall of 1998 where we actually started the development of the immunization registry as we have today. My understanding we are one of the few states where the registry has been developed as a collaboration between Medicaid and public health.
As far as the two agencies are concerned, there’s joint overall responsibility for system design and operation of the system, but however the data itself is managed by public health. Then we have joint responsibility for fiscal oversight, for all aspects for the registry and joint responsibility for oversight of all future service level agreements between the vendor and the department. Medicaid data to WIR comes by either downloads of Medicaid billing data into the WIR or Medicaid managed care or, we are a Medicaid state, as far as Medicaid patients are concerned, primarily the majority of individuals are children on Medicaid are through managed care, and we have provider agreements set up between the managed care organizations to get their information as well. And then we also get regular data entry by participating health care providers. This is one of the screens that we have as far as client demographic data and as you can see on the bottom it has funding and program eligibility as far as if they’re eligible for VFC, Medicaid, and some of the other issues.
I want to point out to you in the upper right hand corner that you’ll see Social Security number up there. The only reason that is up there is because, it is not used for any one of the identifiers for the patient, however, and once it is entered the screen disappears, so if the provider makes a mistake in entering the data and they’ve entered it they need to contact us in order to change it. The reason we have it on there is we intend in the future to make this accessible to parents to find the immunization records for either themselves or their children and it will be done so by Social Security number and it will be one hit and one hit only. So nobody ever sees that data once it is entered.
Again, some of the things that Medicaid is using the data for is the Government Performance and Results Act, known as GPRA. It was enacted in 1993 and it’s to provide accountability for programs by all parts of the federal government, and programs that are to define performance objectives, undertake improvement activities, and demonstrate improvement. In Wisconsin the Division of Health Care Financing is the primary leader of the GPRA initiative with assistance from the immunization program. The measurement that we’ll be using is the rate of two year old Medicaid enrollees who have been fully immunized and by fully immunized we are talking about four DTP, three polio, 1 MMR, 3 HIB, and 3 hepatitis B. And the Wisconsin immunization registry serves as the primary data source for that measurement.
Other Medicaid initiatives that will be used with the WIR is to assess immunization coverage data, to target outreach to high risk areas, and some of that will be used through our GIS programming, and then to target performance measurement improvement that they will be using with their managed care organizations to monitor their performance as part of their contract.
Future enhancements to the system. We want to develop electronic hyper link to the VAERS program, the VAERS is the Vaccine Adverse Event Report System. Right now we have the ability to go on and get to the form itself but we are working with CDC where that information would be provided electronically directly into VAERS. As I mentioned, we are also in the process of developing a real time interface with an electronic medical record system. GIS mapping proponent, again, the program is for mapping, so we can determine pockets of need, not only in the public sector but in the private sector as well through the Medicaid outreach.
We want to do automatic ordering of state supplied vaccines so it’s again, so the providers as the vaccine inventory reaches a certain threshold that they can electronically order their vaccines from us, this would be vaccine for children eligible providers. And one of the other things I also mentioned was the parent access to the immunization records through the internet, and then one of the things again, to make it user friendly is electronic signature for a paperless system.
Our immunization registry was developed with public money so therefore we’ve made it available to other states and public health programs at no cost. That gives us the opportunity for cost sharing for future enhancements. So far the other states that are using it is the Minnesota Department of Health, which is good for us because it is one of the border states of Wisconsin and as I mentioned we are in the process of the vital records people as far as the sharing of the data, and again some of the other states that are using the system and U.S. Virgin Islands territory. The Gundersen Lutheran Medical Center is a private entity within the state of Wisconsin that took the software in its entirety and loaded it onto their systems and our building their medical records system around the registry.
And this is just the contact information for myself and our project manager. Thank you very much.
DR. LUMPKIN: Thank you.
MS. O’CONNOR: Thank you for inviting me to present to you today. Last July Warren Williams actually of the CDC and Barry Gordon also presented to you regarding the California Cancer Registry. Today I will cover reporting to the California Cancer Registry from its early beginning, the current status, and what we hope to later achieve.
First I would like to start by giving you a brief background about our registry before discussing our electronic reporting systems. I will also discuss the creation of our state wide cancer database and the path that we’re taking to facilitate cancer reporting in California.
Our primary sources report to ten designated regional registries. The CCR is part of CDC’s national program of cancer registries, and also now as of all of the original registries, in fact the entire state of California, are also now part of the National Institutes Surveillance Epidemiology and End Results Program. Prior to 2001 the two regions had belonged to SEER, and that is region one and eight in the San Francisco area, and region nine in the Las Angeles area. Each of our regional registry functions as a central registry and we at the CCR further do the consolidation of the reports sent to us to create the state wide cancer data.
Our primary reporting sources include 450 hospitals, of which 150 have a cancer approved program by the American College of Surgeons. Have 8,000 physicians, 400 pathology laboratory, for the 135,000 new cancer cases that are identified annually. In Dr. Gordon’s presentation to this workshop he described our rapid implementation of state wide cancer reporting by creating standards and providing software, C/NET. Our standards essentially mandated an ASCII layout to all our vendors so that our hospitals that are not using the software that we provide can report to us using this particular layout. We have also have just begun to implement standards for pathology laboratory electronic reporting. For physicians we also have standards for their manual reporting using an abstract form, and for some physicians who have opted that the regional registry staff collect the data for them, those registry staff essentially collect the data at the physicians offices using the C/NET software.
This is a current view of our data system. Our reporting sources primarily report to the regional registry as I said earlier. Three of our regions, the two older C regions have their own regional database, and so as region 7/10 also has its regional database. All of those reporting essentially provide us the report for our data for California. However, I will speak to you later on about the creation of our state wide data.
With this current view we have key issues about our current system. These issues are in regards to the rapid case finding, the data extraction, obviously data integrity and management, our enterprise management, our partnership development and maintenance, and data utilization. Today I will only focus on those first three issues for improvement.
Case finding is not timely, it’s not within 12 months, and primarily part of this is the fact that the information is not only for the diagnosis of the cancer patient but we also want information on treatment. The manual review of the pathology report is laborious. We are moving towards direct electronic reporting from hospitals and free standing pathology laboratories. In 2000 we undertook two pilot projects funded by CDC, electronic case finding from pathology laboratories in two of our regions. In one of these pilots an electronic review of the pathology report using word lists and SNOMED showed that two percent of the malignant cases were not identified to SNOMED. It also showed that whether one uses the word list or SNOMED to identify malignant cases, electronic pathology case finding tremendously facilitates cancer reporting, a laborious process can be improved on by not having to manually review 100 percent of the pathology report for which about 80 percent are not reportable malignant cases. Thus, electronic case finding is a strong focus in California with several projects underway.
E-Path projects are in hospitals and in our stand alone laboratories. One project captures messages from discharge and pathology systems in the hospital. A large stand alone laboratory also sends electronic files to one of our regions where an automated pathology routing is used to distribute these pathology reports to other regions.
Last year we implemented a new cancer data management system, EUREKA. The project’s objectives including the creation of a single consolidated state wide cancer database, and electronic interfaces between the EUREKA and the data systems in region 1, 8, 7, 10, and 9. EUREKA is an internet based application and is current used by regions two to six. The CCR office is the host site with the hardware, software and storage. CCR staff is also responsible for the version release and back-up.
For the regions with their own data system our EUREKA sub system has been created that follows the transmission from EUREKA to these regions, and the regions to EUREKA using XML. For each of these regions, a regional sub system is being completed to extract data from their system to send through EUREKA and to apply data from EUREKA to their databases. The migration of these regions cases is targeted to occur prior to May 31st 2003, so that indeed by June 1st 2003 the CCR will have a single consolidated state wide database. Thereafter the transmission from EURKEA to these regions and vice versa can occur on a daily basis as updates occur.
However, data integrity management continues to be a business issue for us under this system since it requires different computer edits and requires integration of the management of these databases. For example, when data changes occurs the viability of the state wide databases is jeopardized if these changes are not synchronized among the four data management systems. In addition, the system also demands that our efforts in maintaining software to be used at the hospital and by our regions are coordinated.
We also have issues regarding data extraction. We request physicians to report on a cancer case that we have identified and cannot complete due to incomplete or conflicting information. Currently, letters are sent to physicians to complete the abstract form. For those that opted to have regional staff complete the abstract for them, the letter is a notification to the physician of the staffs forthcoming visit to their office to complete this process. This process of following back to physician’s offices is labor intensive. Our plans for the future are to pre-populate an abstract for them to key entry or provide or for provide for a web based reporting.
With all these developments in our data system we will have a complex cancer reporting system, therefore, we created this view of California’s future cancer data system. The requirements for this future view includes direct reporting from hospitals and pathology laboratories, web-based physician reporting, and a single data management system state wide with one database. Otherwise, we decrease our efficiencies with negative impact in our ability to use the cancer data. It also makes it difficult for our reporting sources to report the data, therefore at the same time that we’re completing current project we are planning future projects to simplify this complex reporting system that we have.
In summary although we have implemented a workable cancer data system in California it is a complex reporting system. Our future view is to improve on this system and make it easier for our reporting sources to comply with the cancer reporting requirements, to