Public Comments: September 2007 – American Health Information Community Successor White Paper (August 2007)



The World Privacy Forum offered public comments on HHS’ American Health Information Community (AHIC) successor plans, urging that HHS adopt a “no stakeholders left behind” policy as it forms the new public/private AHIC. The Forum’s analysis of the AHIC Successor White Paper concluded that the current succession plans lack processes and checks that would ensure meaningful consumer participation, and that the AHIC successor plans as they currently stand do not bode well for a robust role for privacy or consumer groups in the new AHIC. Specific issues the World Privacy Forum discussed in its comments included fee structures, membership, handling conflicts of interest, stakeholder issues, privacy and identifiability issues, and the need for the new AHIC to achieve credibility.


Comments of the World Privacy Forum

Regarding the American Health Information Community Successor White Paper (August 2007) to:

Office of the National Coordinator for Health Information Technology

Mary C. Switzer Building
330 C. Street, S.W.
Room 4080
Washington, DC 20201

Via email and fax

September 6, 2007


The World Privacy Forum is pleased to have this opportunity to offer comments in response to the Department of Health and Human Services’ August 2007 publication of the American Health Information Community Successor White Paper.

The World Privacy Forum is a non-partisan, non-profit public interest research and consumer education organization. Our focus is on conducting in-depth research and analysis of privacy issues, including issues related to health care. [1]

We have no basic objection to the creation of an AHIC successor entity. However, we are not convinced that the White Paper outlines the best way to organize the successor to accomplish the stated objectives of “….an effort to establish a balanced, effective, public-private collaboration among organizations and individuals in all sectors of the health community to reduce fragmentation of efforts toward realizing an interoperable nationwide health information system that enables improvements in health care quality, safety, and efficiency.”


I. Introduction

The World Privacy Forum applauds the Department of Health and Human Services (HHS) for publishing its American Health Information Community Successor White Paper (August 2007) [2] and for going through a public comment process for the American Health Information Community successor entity. It is crucial that the American Health Information Community (AHIC) successor transition is handled with transparency and fairness, and this publication and comment period was one step toward that.

That being said, we have found inconsistencies and troubling issues in the AHIC successor White Paper. Generally, we are concerned with the tone and treble of the White Paper, and its lack of processes and checks to ensure meaningful consumer participation. Additionally, there is a general lack of neutrality in the White Paper; the AHIC successor is not meant to be a vendor- led cheering section for health information exchange (HIE) and the National Health Information Network (NHIN). Rather, it should be a sober and credible organization that earns the respect and trust of consumers and consumer groups, including privacy groups, through neutral evaluation of options, benefits, costs, and risks.

We offer our comments below; it is our hope they will prove useful in assisting HHS in correcting some of the imbalances and inconsistencies in the AHIC White Paper.


II. Fees and Fee Structure

We have difficulty reconciling statements in the White Paper about fees for operating the AHIC successor. On page 4, we find this statement:

Membership fees, if any, cannot become a barrier to participation.

However, on page 10, we find:

Membership. The membership would consist of those organizations, entities and persons who want a voice in the running of the AHIC successor and a vote in its affairs (including the election of its governing board), who would become members of an applicable stakeholder sector and agree to pay dues and make initial capital contributions (members). All members in all categories would be expected to sign Participation Agreements that bind them to using the AHIC successor’s standards, policies, and procedures when transacting business with the AHIC successor or another member of the AHIC successor. In order to induce broad and robust membership in the AHIC successor, any member would have the right to withdraw from the AHIC successor at any time in its discretion, on designated written notice, without adverse economic consequences to that member.

We highlight language about barriers, dues, and capital contributions. We do not know how fees will not be a barrier to participation if members must not only pay dues but also make capital contributions. Consumer, patient, and privacy groups will be unable to participate if members must pay dues, and they will certainly not be able to make capital contributions. Indeed, it is more likely that consumer, patient, and privacy groups will require a subsidy in order to participate, attend meetings, and fund necessary travel costs.

We note that ANSI is put forth as a relevant model of a public-private partnership (p. 17.) ANSI’s fees are too high to allow participation by privacy and most consumer organizations, something the World Privacy Forum has noted in previous public comments. Full ANSI membership begins at $3,100, a fee too high for all but the very largest consumer non-profits, and a number too large for any privacy-focused non-profit organization. The AHIC successor needs to not only avoid barriers to participation, the AHIC successor needs to ensure participation by either subsidizing fees, or by not charging fees at all to organizations whose participation is essential and will not occur without support. We believe the participation of consumer and privacy-focused groups is essential to the AHIC process and without this participation that the credibility of the AHIC successor will be in question.


III. Openness

The AHIC successor will, notwithstanding suggestions to the contrary in the White Paper, engage in government functions, determine obligations, set fees, impose sanctions and undertake other activities with an essential governmental flavor. The importance of the health care sector to every individual in the United States and to the economy as a whole demands that there be official government participation with the full accountability that government activities entail.

Processes that establish standards for light bulbs, screw threads, and other technical measures are not a precedent for an activity with the scope and importance of the AHIC successor. We note here in passing that technical standards are sometimes determinative of the rights and interests of consumers, but that consumers and their representatives are often unable to participate in standards development for lack of funds, as discussed previously in these comments (See the “Fees” heading). This leaves well-financed companies and other organizations to make decisions that affect consumers without consumer involvement. The precedents cited in the White Paper are not reassuring from a consumer perspective.

It is essential that any AHIC successor meet standards of due process, operate with transparency, and include effective oversight mechanisms to ensure that all interests are properly considered, and meet reasonable standards of accountability. The organization should be required to comply with open meetings requirements and access to records policies.


IV. Privacy Representation

On page 6, we find a proposal for a Senior Data Uses Officer:

(g) Senior Data Uses Officer for data stewardship, privacy policy, accreditation, and uses of data for purposes such as public health, research, quality, and all other related activities.

It is telling that the officer who has responsibilities for privacy is titled the Senior Data Uses Officer. The title indicates that the officer is responsible for supporting and perhaps encouraging the use of personal health information. The White Paper does not suggest the more common title of Privacy Officer. Any AHIC successor needs a privacy officer who has a significant degree of independence to aggressively represent the privacy interests of consumers and to make sure that there is enough tension within planning, development, and implementation activities to minimize the effects of decisions on privacy. If the same person is responsible for defining data uses and privacy policy, it is not hard to predict that privacy will always give way to any proposal that broadens the use of data. No one can reasonably expect that privacy concerns alone will control all decisions, but privacy needs to have sufficient independent representation so that any balancing of interests will be determined fairly and openly. This may require that a privacy officer should be able to report directly to the Board, the CEO, the Congress, and the public.

To achieve credibility in the area of privacy, a Chief or Senior Privacy Officer (not Data Use Officer) should be appointed, and should be given wide latitude and authority. Additionally, this individual should not be beholden by background or other conflicts of interest to advocate for the interests of those with a financial stake in the outcome of HIE or NHIN activities.


V. Conflicts of Interest

On page 11, the White Paper establishes what we consider an impossible standard for addressing conflicts of interest:

Directors would be expected to serve in both representative and fiduciary roles – with responsibilities to consult with their sector constituencies and, at the same time, expected to make determinations in the course of Board deliberations in what they determine to be in the best interests of the AHIC successor, and the broad public and stakeholder interests to be served.

How a director of an organization can be employed, funded, and supported by a particular constituency and still be expected to represent any interest other than that of the constituency is a mystery. Any expectation that directors will come from the various sectors of the health care industry and still represent public interests is naïve at best and a deliberate falsehood at worst. Because of the importance of this activity to the public, there must be more express representation of constituencies beyond the health care industry. We certainly acknowledge the need for industry representation, but industry should not be in a position to make decisions that affect everyone based on the premise that its representatives will look out for the public interest rather than their own financial interests. We have come a long way from the days when “What’s good for General Motors is good for the United States.”


VI. No Stakeholder Left Behind

On page 14, the White Paper lays out a “value proposition for consumers.”

Consumers: Increased role in the development of privacy and security policies and practices.

How the AHIC successor plans on giving privacy groups and consumer groups increased roles in the development of privacy and security policies and practices is unclear, uncharted, and ill- defined. The AHIC successor needs to clearly and specifically define and disclose how it will reach out to consumers, consumer groups, including privacy groups and include them in “increased roles.” The White Paper should document how it expects to remove barriers to participation by these groups, including privacy groups, and to document required efforts to attract consumer representative members. These outreach efforts need to be published regularly for purposes of oversight and accountability, and a recourse mechanism should be set up so that consumer groups who are not able to purchase or otherwise find a seat at the stakeholders’ table are able to have a meaningful voice and a seat at the table. In short, there needs to be a “no stakeholder left behind” policy if an AHIC successor is going to achieve credibility.


VII. Privacy and Identifiability

On page 9, we find this paragraph:

Based upon a sound policy framework to ensure confidentiality, privacy, and security, the AHIC successor should identify opportunities to create and use interoperable health information for clinical care and for purposes in addition to informing direct clinical care. These uses of health information may include but are not limited to: clinical care, biosurveillance, mobilization of clinical and related response to emergencies, post-market surveillance of medical products, clinical research including clinical trials for medical products, tracking of fraud and abuse in health care, remote delivery of clinical care, population and health services research, measurement and reporting of provider performance, and personal health management.

We cite this paragraph because it contains what has become a ritual reference to “confidentiality, privacy, and security” followed by a long and expressly incomplete list of data uses. As has been typical in HHS activities involving electronic health care activities, we find no express recognition of the need to affirmatively restrict the use of data or of the possibility that other admittedly important objectives might be served through the use of non-identifiable or less- identifiable data.

Many existing institutions performing reasonable health care activities (beyond treatment and payment) operate today using fully identifiable data because no one ever took the time or effort to look for ways to accomplish those activities with non-identifiable data. Future planning for health information systems and technology should begin with the express objective of seeking methods of restricting the sharing of identifiable data while still allowing other institutions to function. If no one looks aggressively to find ways of limiting data use, then we face the certainty of greater data use and data sharing.

We do not suggest that this will be an easy task. Too many institutions that use health data today are addicted to identifiable data. Weaning those organizations away from the use of identifiable data may be harder than weaning addicts from drugs, cigarettes, or alcohol. However, the advent of new health care technology provides the perfect opportunity to accomplish the feat.

While we have many disagreements with the policies represented in the HIPAA privacy rule, we do admire the rule’s innovative attempt to establish express standards for non-identifiable data and its process (data use agreements) for sharing data with a somewhat higher degree of potential identifiability. We do not suggest that the HIPAA rule’s approach is the best or will solve all problems. However, the idea of allowing third parties with legitimate objectives the use of data with diminished identifiability and increased accountability is excellent. Promoting greater use of data with diminished identifiability should be an express objective of the AHIC successor.


VIII. Conclusion

One of the most substantial challenges the AHIC successor faces is that of credibility. Even if the new successor organization were perfectly attuned to the needs of patients and consumers, the new entity will still need to prove its objectivity, its commitment to consumers, its real and demonstrable commitment to privacy and confidentiality, its transparency, and its accountability through its actions and decisions.

If the White Paper is any indication, so far, the AHIC successor is not on the path to achieving credibility with consumers. We are concerned by the lack of fundamental attention to consumer needs and perspectives in the AHIC successor White Paper. The White Paper contains contradictions regarding removal of barriers to participation in the AHIC process which are troubling and do not bode well for robust and meaningful consumer representation. Further, the White Paper does not expressly provide or ensure a robust role for privacy and consumer groups in this process. Only the largest, wealthiest consumer groups would have the capital to function actively within the AHIC successor as outlined in the White Paper, and this is neither appropriate nor desirable.
And finally, the tone of the White Paper pushes toward increased data use instead of a more neutral stance of looking at options regarding appropriate and desirable data limitation and de- identification. An entity that seeks to appoint a Data Use Officer instead of a Privacy Officer is already on the wrong path. There is still time to rectify these issues, and we urge HHS to do so.

The basic truth of HIE is that consumers may be engaged now in a meaningful, robust, well- represented manner (which includes participation by privacy groups), or they may be engaged later. But the longer the healthcare sector avoids tackling the very real privacy, confidentiality, and secondary data use issues attending HIE, the more the sector increases its chances of losing credibility and ultimately losing consumer trust in its activities.
We look forward to working with HHS on this important AHIC successor transition process.


Respectfully submitted,

Pam Dixon
Executive Director,
World Privacy Forum




[1] See <>

[2] American Health Information Community Successor White Paper (August 2007), <>. Hereafter noted as “AHIC White Paper” with page references.