 to call the meeting to order the Data Governance Council. The first item on the agenda is for me to give a chairs report and I have a couple of announcements and we do have a forum right? So the NORC and I'm gonna what does it stand ORC? Yeah in ORC we don't have to say what it stands for. It's just NORC, he's like IBM. NORC data use agreement has been approved. The purpose of this DUA is to provide features data to support the federal government's CMS's evaluation of the all-payer model and to answer questions about model impact on population health outcomes statewide spending across all pairs delivery system and process measures other measures of health care utilization spending and quality of care and implementation of challenges and successes they are actually going to be in Vermont over the next week doing some interviews with folks so that's great. So we are also at the board looking to finish up some senior level staffing and positions being filled so we are we are gonna wait at least one more meeting to fill Pat Jones's old seat on the Green Mountain care board I just wanted to give you that. I mean sorry on the Data Governance Council I elevated Pat. And that's all I have to announce so the next item on the agenda is to approve the April meeting minutes so do we need a few minutes to oh okay okay all those in favor to approve the minutes from Tuesday April 2nd 2019. The minutes have been approved from the Data Governance Council all right so the next item on the agenda is we're gonna have our lawyers a couple of our lawyers from the Green Mountain care board from our staff give us an introduction to public records laws and the interaction of the public records law with APCDs and I think we're going to be looking at a national perhaps a state view just to set this up the question of APCDs and public records comes up from time through requests at the Green Mountain to the Green Mountain care board and this is also an issue that other states face with their APCDs we want to hear your feedback after Lynn and Amaran presents on this pretty interesting and we issue so we're gonna go through this presentation and then we're going to you're both going to present together or okay and then we'll open it up to the council do you want them to ask you questions as you present? Okay I'll turn it over to Lynn and Amaran. Thank you. You all know me. I am one of the associate general counsels at the Green Mountain care board and I generally advise on the data issues which is why you see me all the time. My colleague has graced us with a cameo to die with and my request so thank you. This is Amaran Abidjali she is the other associate general counsel at the Green Mountain care board and she also happens to be our records officer which she can talk more about that position but she is most certainly our expert in the office on public records issues she prior to being with the Green Mountain care board she was a diva but she was also prior to that at DHR where she was their records officer for I believe several years so she managed all their public records requests and prior to she's originally from New Hampshire I believe but was in California for a number of years so you actually have two California attorneys here and while she was there she was in private practice but was advising municipal governments largely about a number of issues but open meaning laws and public records issues there as well so she was gracious enough to come today and you guys don't have to listen to me monitor these issues. I think an overview of what we want to talk about today as the chair mentioned this issue does come up from time to time we all are very familiar with our DUA process and you know the analysis that we go through about whether and how to release plain bubble data in the DQR database occasionally we do get requests also that don't go through the DUA route but we do get them by the public records act which everyone's going to talk more about so this is an issue that we do confront from time to time it's also an issue that other states are facing and the purpose what we wanted to do today is we kind of wanted to present the topic it's something we've been noodling over in the office a lot recently and as Susan said it's a really weedy issue and so our intent and hope was that we could get your guys's feedback kind of on these general principles and really think about it in the context of going through our data release rule so that as part of why this has been put off because this is an issue that we really want to think about more and have been trying to think about in the contents of the data release rule that we're working on and then also in the contents of the policies and procedures that we just passed so we thought would be an interesting and useful discussion and we want to hear feedback on it so please do ask questions as we go or we can say them until the end whatever this is supposed to be a discussion interactive let's turn it over to Ameron with that good afternoon thank you for having me Lynn thought it might be helpful just to provide some background on the public records law generally public records law in Vermont and some of the basics from a fairly high level overview but if you have more specific questions I'm happy to answer those as we go along so to start with what is the idea behind the public records law the idea behind the public records law both from the federal level and the state level is that we want the public to be able to obtain copies of government documents and the purpose behind that is to create transparency and also allows basically the public to take a look at government decisions and see how those decisions are made most state laws that most state public records laws are based on what people call FOIA which is the Freedom of Information Act FOIA only applies to federal agencies and most states have their own records law that applies to state departments and agencies so so this is the this is where you can find the public records act in Vermont statute the public records act applies to all the public agencies at all levels including in some instances such as there is councils or committees or commissions so it's important to keep in mind that it's not just state government at the whole but it's broken down even into the small components within state government another thing to keep in mind which people don't often think about when making a public records request is that public records as they're defined by statute are not just things in paper or electronic copies of things in paper we're talking voice mails and really any anything that's been recorded is considered to be a public record and that definition has evolved over time as our government records have evolved over time and technology has evolved so another thing to keep in mind when you're thinking about the public records act is that it applies only to records which the agency still possesses so people may come to an agency and say I want to see such and such records but those records no longer exist because every department agency is supposed to have records management policy and guidelines about when they can destroy records and how long they're required to retain their records in the course of agency business so that's just another thing to keep in mind when thinking about public records law so the statement of policy as I mentioned earlier the idea is behind a free and open examination of records and that it serves the public interest to review and criticize decisions of government and along with that there's also the need to protect in the individual right of privacy because our government is made up of individuals and people who live within their communities and so there are also exemptions that apply to protect the privacy of individuals unless the information itself is needed specifically for some reason to review the action of a government officer and that is a pretty high threshold to meet in some instances depending on the privacy nature of the information having said that if all things are equal the courts have said that the policies in favor of release of the documents if it comes down you could go either way the scaler in the courts is going to tip towards releasing those documents so a little bit about requesters anyone can request public records it could be someone who already works at their state documents it could be an organization individuals and an important thing to note is that when reviewing a records request you can't look at the motive behind why someone's requesting and you may know that they are actually trying to disrupt government operations they're trying to cripple an agency just because they can have been instances where people have made public records request for I want every document that has the work water on it and the purpose is just purely to disrupt operation so that's probably an extreme example and there are ways to deal with those types of requests but generally speaking the idea is that you're not going to make determination based on who the person is and why they're asking for it in deciding whether to release the document in terms of process the agency must produce the requested record which is important to know we do get a lot of requests sometimes where the request is not clear exactly what records the person is looking for we are allowed by statute to go and ask for clarification but I think they're requesting this but I'm not sure if you think from this or you say this but maybe you're only interested in a certain number of years it would be hugely burdensome for us to go back and try and get everything that's happened over the last ten years that might be responsive to this request are you really interested in the last ten years or are you looking for the last three or the last six months and a lot of times people are looking for something much smaller than what we have and so we use follow-up seeking clarification as a tool to limit the burden on us in producing documents and also to limit the burden on the person who requests the information and then receives a huge pile when they were only interested in a small amount of information so as part of the record a lot individuals are allowed to inspect or receive a lot of the information inspection does not happen that much these days given how easy it is to email documents so usually she usually copies of records there are some fees associated with that which I'm not going to get into today unless anyone is interested and then it is also important to know that there is a series of exemptions where the agency can withhold the record in its entirety or where appropriate might redact information that is exempt but there's still remaining information from the document that you can't produce yes the third bullet is that an option on the part of the agency they can if there is exempt material in the document they can withhold the entire document or do they just have to redact the exempt information and provide the rest of the document the latter if the information is if you can segregate the exempt information from the other information then you're required to do so having said that if by segregating information the document becomes useless and you are not required those circumstances that would happen are pretty small but there is if you end up redacting 95% of the document all you're left with is the headers and the page numbers then there is no point in producing that document but in general you're required to redact if you can redact information and produce ways and not exempt. Secondly most of you have a number of pre-email days but in the pre-email days people could try to avoid having to pay for the record by coming in and inspecting it first and then just saying this is what I want. Where have things evolved in terms of paying for records that are electronically transferred? So that is still the case there are still some circumstances where I think people come in and choose to inspect rather than pay for the copies. However because Vermont allows agencies to charge for staff time in making the documents available there is still that as a lever that usually prevents abuse like just pure abuses of coming to inspect. It takes us 18 days to put Taylor back in and say well we're just inspecting so we can't charge us. There have been some cases in Vermont more recently where people have started to challenge the idea that to inspect they should be free inspection. And it I would say is really sort of an evolving landscape there that we deal with on that. I mean the requesters were saying that they should be able to inspect the free. Just on the third bullet, agency can withhold or must withhold exempt records? So it depends right if you are required to if you're required to keep information confidential for some other reason such such as HIPAA such as other federal regulations like court order. I mean there are a lot of circumstances where so if there is something else saying you absolutely can't release this then you can't. But so that's why we say can because there may be circumstances where the only thing that we don't need to release it is one of the public records law exemptions. I find that to be less common than the argument that the statutory provision that says that the agency is not required to create a public record. I find that people push back more on that asking I know you don't have to create a public record but will you because of the following reasons of why and that's going to be information. So you don't usually see that but technically unless there's another law that prevents you from disclosing it you have the option of exercising exemptions. And whose option is that for you? It's the agency. The agency secretary or? It would be the department head. Yeah. Whatever the records custodian is which is typically the head of the department or agency. So moving to exemptions in Vermont there are 40 exemptions in fact. That's not to say that there aren't the scope of exemptions in the federal law isn't that broad but they put it into much smaller buckets. I think it's seven that are used commonly maybe two more that are used in certain circumstances but in Vermont we lay it off the whole bunch. And then in addition to that there are a lot of Vermont statutes that specifically exempt categories of documents from inspection and profiling under the public records law. And then of course there are other laws that would prohibit you from containing those records under federal law. So these are some examples of exemptions under statutes. I won't probably go into them. I will say that when we say confidential under law it's actually designated by law as confidential or similar term. But even if the law doesn't say this is confidential it can be something that is similar term. They don't define similar term but it is interesting that it's in there. In case someone for example when making a statute forgot to say where does it mean this information is confidential. But it's clear from the text of the document that they intend this to be confidential. And this is some of the things that I was mentioning in the planning to come were required to redact it with the not as important records if they can be segregated. And then just in case someone does not agree with our reasons for withholding documents they have to appeal to the department head before they can appeal this in court. So if they were to appeal it to the department head then we would have five business days to respond to that appeal. Yeah I was going to say I should give the copy off that I wrote these slides so all of the mistakes I want to show you. Well I was realizing when you were talking that there isn't a mission. Can you speak a little bit more about the difference between we have to give records that already exist but we are required to make a record. Because I think that's probably relevant to our discussion too. Sure just as part of the public records law the agency is not required to create a public record. They're only required to produce those records that are already in existence. There has been a lot of conversation in recent history about what is the creation of the public record in the age of electronic records. And the public records law is specific about what is the standard format for a record and what is the non-standard format. The non-standard format is created but provided that the standard format is not. So if you have for example a PDF document providing a printout of that document you would be a standard format. We can't say it's a PDF but to give it to you you would have to print it out for you to inspect. Therefore it's creating a public record which we're not required to do so we can't do that. So the records law itself is specific in terms of how you deal with some electronic records and what's considered creating a record and not creating a record. And I think this is an area that will continue to be examined over time as the types of electronic records come into existence. As we start doing things like archiving emails into different formats where you need to open them up in a specific program. You may need to adapt information if they require you to put it into a different format or you put it into the format that someone can do. And so there becomes more and more layers of how you get the document from where it is to a point where someone can do it. This hasn't been something that's been that litigated in Vermont. I'm sure that there are states that have more expensive litigation on this probably California. They have a lot of records and a lot of people, a lot of litigation. So there are certainly states I think that we can look to to look for guidance on those issues but Vermont itself has a lot of those issues at this time. Related to that, maybe you could speak to the definition of a public record. I deal with that a lot in my day to day that all that we do are public records and there are exemptions to the release of that. But the idea of some things are public records and some aren't is a misconception I encounter a lot in my day to day. So the creation of a public record means the creation of a different form of the same information in the example you just used. That's one example of creating a record. It could also be that you're asking someone to take an easy example where rather than I don't want the 100 documents that show me all this information. I would like you to write me with a summary. That is a very common one. It's like, oh, I don't want to thank you but I don't want to go through a thousand records on this. Could you just give me a summary of it? And so that is, you know, some of those circumstances where the agency may decide you know what it is easier for us to provide you with a summary and create a record. Rather than us will pull those 1000 documents and do it actions and things like that. But to your point, I think, and I don't think we have the specific, we do have the statutory language. Oh, yes, we do. Yeah, so records produced or acquired in the course of public agency business. It's very, very broad. I agree that I have also encountered some misconceptions about what is a public record versus what is just public. People say, well, it's not a public record because it's not public. That's not what we mean when we say a public record. We just mean that it's a record used by the public agency. And I haven't even thought about that. I think another misconception that I found about public records is that the agency that I mentioned before, I mentioned this earlier actually, I think, but sometimes people think, well, I don't. Tell me why I have to give you the document. And it's not. Tell me why. And that's not it. I have to show you why I can't give you the document, right? So it's in favor of people who are leaving the document. And that sometimes ends up. In terms of destruction of public record, does every agency get to accept their own retention policy? Yes and no. Every agency is required to have one, but it is reviewed by the Vermont State Archives and Records Administration. Thank you. Yeah, Visara. So agencies and departments work with Visara. Then it has to be approved by Visara, both the schedule and the policy. I'm happy to answer those questions. I can do it, but you might be glad you're here. I was just going to say, too, before we move into the other half of this presentation, I've got one other example that I routinely dealt with in my past life, including civil litigation, is backup tapes, and other ways that organizations retain their electronic information for disaster recovery purposes. We would get these questions in discovery a lot. The plaintiffs would say, well, you don't have this on your email system, why can't you go to the backup tapes? And I don't know all the technicalities of it, but I know it is extremely difficult and extremely expensive to recover information from backup tapes and things like that, because it really is just intended for, you know, there's a massive earthquake and the building where all of your data, your server is housed, is gone. So, those kinds of interactions happen a lot in civil litigation, too. So I suspect that it's probably something that's relevant to your response and you're talking about ways to do that. Yeah, I think that's true. I also find that sometimes it has been important for me to remind people that just because our records retention schedule says the document was due to be destroyed two years ago, that I actually need to have them confirmed that it wasn't that destroy. Sometimes boxes just get put in a line and they're waiting for their turn to be destroyed and so you are still required to produce that record even if the record retention schedule says it should have been destroyed two years ago. The fact is it wasn't and you still have it. So you need to produce it. And I think to Lynn's point, I think as different modes of storing information continue to evolve, there's been more conversations about the cost of the agency. You have to produce some of the records that are stored in a way that is expensive because the cost schedule that is currently in place, I don't know, fully addresses some of those scenarios where it is extremely expensive to pull information out of where it's being stored. And I think for the time being, the intent is that agency departments will be putting the bill until the laws catch up with technology. It just seems like a paradox to say that we're retaining these public records and therefore they're theoretically available to review, publicly review, but it's expensive to make them available. I have a retention policy that allows you to store them in a manner that makes them unretrievable except at great expense. That's more of a policy decision, just weighing the potential need to retrieve versus the cost of having it available. So moving on to the next piece of this. I'm not going to do an overview of the ABCDs. I think everybody here is generally familiar with the concept arts and courses. He cares and we also have a bunch of things that we talk about here a lot. Overall, like I said, when we start looking into this issue, we were very curious about how other states handled this too because it is an issue in other states. As Amron said, all 50 states have public record laws. We are now up to more than 20 states that have a ABCD legislation. I was trying to count on the ABCD's website, and it was quickly approaching 30 states with legislation. Not all of them have actual operative databases yet, but it is definitely something that states are talking about and doing. I think this is kind of a concept we're familiar with, but states take varied approaches to data collection and release in terms of respecting privacy and protecting privacy and those kinds of issues. A lot of that is tailored to what the purpose of their ABCD is. As we're going to talk about in a minute, the purpose is actually varied pretty greatly from states, and a lot of that is put into the statute. Ours is kind of very broad in terms of understanding healthcare costs and doing the work that the Green Man Care Board does and looking at our healthcare system. There are other states, Minnesota is one that comes to mind, that are really very specific in terms of the things that you're supposed to use the ABCD for. So that is definitely varied. I think one of the ways in terms of collecting the data, one way that states approach it is they will only collect limited data sets. So from the get-go, they will not collect certain information from the submitters. One that we use currently is the collection of de-identified data sets, meaning that the information data set is somehow coded so that the individual's identity is not easily known or discerned from the data. I want to do a little copy out there too, because I tend to use some of these terms interchangeably. There's de-identified in the general sense, meaning that you can't identify who the person is from looking at the piece of data. HIPAA uses the term de-identified as a term of art. Under HIPAA requirements, there are two ways to officially de-identify information. One is to go through a pretty complex process that an expert does to de-identify the way that a lot of organizations who don't go the expert route do is the HIPAA Safe Harbor provision. And there are 18 identifiers of information that are listed date of birth, name, any date beyond the year is another one. There's some requirements about zip codes, email address, those kinds of things. And the de-identified for Safe Harbor purposes means all of that information is removed from the data set. So just to clarify that. In terms, they also can place strict parameters on how live identifiers are collected, meaning things that can readily identify an individual. So name is a good example of one address is another. In terms of release, sometimes states will not allow the release of their APC data or they will only allow it to be released to state entities. I'll talk about this later, but Minnesota is one that comes to mind on that because they actually have their collection for their APC data. When it was originally enacted, they collected it and it was intended to be used for one purpose and I can't talk at the top of my head remember what that was. And the only people who were allowed to access the data was the Minnesota Department of Health only for that purpose. And they broadened it a little bit, there are now five or six purposes for which the Minnesota Department of Health is allowed to access the APC data but they do not release it beyond that. So Minnesota is probably the strictest on this. And also in terms of releasing information, sometimes states will just go with reports and analysis of the data. That's Minnesota is falling into that category, like they will release the reports that they do, pursue it to be like six purposes for looking at the data but nothing more than that. And the other thing before we go further, I just want to clarify, we're talking here about claims level data, so your individual claim file for a particular visit to a health care provider that gets submitted from your insurer. We're not talking about analyses, we're not talking about the reports that the Green Mountain Care Board is doing, we're not talking about those kinds of things. This is just specifically the individual claim that shows up in the B-Cures database. So that's just worth keeping in mind as we go forward. Just one quick question. Do you know are there any states that don't have legislation but that do have an APC degree? No, I was wondering about that. I don't think there are, I think they all are inactive by legislation but I think there could be a situation. I know there are states that have private entities that I can say contracted with to manage their APCDs but my suspicion is they still have a statute that creates it. It would have to be private because if there's probably leadership legislation. I don't know of a state that has an APCD that doesn't have a statute that enables it but there are some states that have a state APCD and a private APCD and there may be some nuance there. Yeah, and a lot of it too is state regulation in terms of requiring insurers to submit to it so that piece of it has to come in at some level in terms of mandating that people submit the data to the APCD subject to Govay, of course. Put that copy out of it. Generally speaking, like I said, it's state specific laws and regulations that usually govern the release. Most states that release data are guided by the HIPAA safe harbor provisions, the HIPAA sanctioned delay process, those kinds of things. Or they have a similar state requirement. It may not necessarily be expressly HIPAA but they have similar state requirements. I love this lovely graphic. This is actually from a publication from a couple years ago but I think we all know and this is kind of our policy too that the more specific the information gets about an individual, the more heightened the protection we want to include on it is. So that's usually the philosophy. This is again from that same publication, so thank you. I hope I appropriately credit it. This is from two years ago and actually did not include Vermont. But it's information that I thought gave a good overview in terms of examples of how states protect their data. In terms of ways in which you're allowed to release it, the day you're allowed to release, the people who are allowed to get access to it, and then also pricing probably less relevant to this conversation. And I'm pretty sure I went through and did everything that Vermont does, tried to make it look somewhat readable. And I would also say, Sarah and Kate have any objections to any of those? I did not want to spy on them first, so they might correct some of that. Moving on to the next slide. In our research, there is actually model legislation. I know this is a term we use a lot in the global, and I don't know, so apologies if this is something you guys already know, but oftentimes the organizations or lawyers or committees or whatever put together and put best practices in terms of like, here's what we would recommend you include in your legislation about this, or here's what we would, they do it for contracts, they do it for all kinds of things. But in this case, there was actually a model statute that was put together by NADO and the ABCD Council, and I believe the University of New Hampshire was also involved. This is their recommendation on the statutory language, the first section. They recommend making sure the statute includes language that says the healthcare information collected and maintained by the ABCD program shall be considered confidential and exempt from disclosure by law. They also go through a policy discussion in the accompanying discussion that they include with the legislation, so obviously they say, you know, tweak it to what's appropriate to your state and what's appropriate to your ABCD purposes, but they do acknowledge and recommend that it is important to specifically identify this information as being confidential and perhaps not information that you would normally go through a route of releasing where somebody, you know, where you don't have to do more analysis about the purpose of the request. We also have done some general communicating with these organizations and they have about what their recommendations are, what they are seeing in terms of this. The recommendation from NADO and from ABCD Council was that authorizing legislation should include some kind of language exempting the collected data from public records requests. Something in there acknowledging, something in there talking about that this is a particular special kind of data that's being collected. So other states that have done this, Utah has the language in there that says the information report statements and other data received by the committee, the committee is the entity that manages the ABCD, strictly confidential, and that the use of publication shall be done in a way that no person is identifiable. So they kind of give the heightened terminology of strictly confidential to the information. And California's route, their statute says that individual patient level data shall be exempted from the disclosure requirements of the California Public Records Act. So they specifically exempt the data from disclosure under the Public Records Act. Rhode Island takes a slightly different approach. And interestingly, Rhode Island's law is done by regulations. So it's akin to the rules that we are offering rather than going to the statutory route. The Rhode Island law is the data sets and other information submitted and maintained in the database of their ABCD shall not be a public record and no disclosure of any of the data sets or health information shall be made unless specifically authorized. So they specifically exempt their data, say that it's not a public record, even though it's being collected by and submitted to a government agency and used for government agency work. And I guess that's about what Rhode Island is. And then I think as we discussed with Rhode Island, their statute is extremely strict in that the only people who are allowed to have access to the data are the Minnesota Department of Health, who are the custodians of the database. Moving forward, I'm kind of flying through this because I want to make sure we have time for discussion. I think generally the route states tend to be taking kind of following the three buckets. One is the Rhode Island bucket, which is the information in this database to claim blood information is not a public record. I think more states are going with the California route, which is it may be a public record, not really saying one way or the other, but it's expressly exempt from disclosure. And then I guess I should say more states are going with language that talks about heightened protection for the information and perhaps talks gives guidance as to how it should be released, but does not specifically call out or identify any interaction with state public records laws. It seems to me that the California route is more restricted than the California route. California is basically talking about an individual record, where the Utah has this phrase that the information should all be done publicly, so that's the way that no person can identify them. So that you can have a record that if somebody can kind of humiliate data around it and scratch out that record and identify that record, that seems more restricted than the California route. You know, that's interesting because I think I could see it both ways. My reading of California is, you know, we talked about in Vermont context, I think the principle is the same about redaction versus, you know, just withholding the record entirely. And I think for California, the way I read the statute is you may be able to make a request under the statute, but you cannot have the information period. The entirety of these records is exempt. I think I would read this in a way, and certainly the APCDC Council reads this as something, reads this as not being exempted from the Public Records Act. I think there's a way to make an argument more that obviously they want heightened protection. They're intending that the information be not be available to the public, but the privacy of the individuals is very important. But, you know, I think there may be more wiggle room to argue about what strictly confidential means. And then I also think in reading, I will say I think in reading in a way that no person is identifiable, I think that's pretty strong language because it's not just there aren't direct identifiers in there. It's that, like, I would read that as if you like this to another database, you still can't identify people. That seems to me to be a pretty strong standard. So I would say I would look at it in both ways. I don't know if you have anything to add on that. I would say that whenever looking at the statutory provisions that govern one of these databases that you want to look at it in concert with what their Public Records Law is, the Public Records Law and how their formatted and structured do differ from state to state. So it could be that Utah has an exemption that says anything doesn't make this strictly confidential cannot be released under the Public Records Law. That could be one of their exemptions whereas the second sentence of that talking about in such a way that no person is identifiable actually also has to do with how the database in other circumstances outside of the Public Records Law, how that data and how those reports are used. So I guess that would just be my input is that whenever you're looking at a statute governing the database, you need to look at it in concert with how the Public Records Law is. Going to Vermont, like I said, the purpose of this is we really do want to have a general philosophical discussion here but I figure after going through all of this it would probably be unfair to not at least a lot of things would be like this in Vermont. In the statute, the Enabling Act, the Creative B-Cures actually does talk about the collection storage and release of data and the statute specifically says the collection storage and release of health care data that are subject to federal requirements of the Health Insurance Portability and Accountability Act shall be governed exclusively by HIPAA and their related regulations. So in looking at that statute entirely based on a language that the release shall be governed exclusively by HIPAA, it appears that the legislative intent behind the statute was to direct that the board, the custodian of the records review the data and whether or not it's comfortable to release the data based on HIPAA as opposed to reviewing it under the Public Records Act. So that's certainly the way the language goes in the statute. There are also other places in the statute that have a heightened confidentiality of the information and you know allowing the board to enact rules and regulations like our way process, like our policies and procedures that would also govern how data is released. I don't know if there's anything else you want to add about our particular statute that I've covered most of that. But that's certainly the reading is that the legislative intent was that HIPAA is what dictates the release of the data as opposed to the Public Records Act. I have to say now in true lawyer arguments, this is something lawyers do and I think a lot of people roll their eyes, we have to take the second approach which is even if it were governed by the Public Records Act, which we don't think it is, even if it were governed by the Public Records Act there are a whole bunch of exemptions that would apply to this data. And again, we're just talking about the individual claims files. We're not talking about like analysis that gets done or something like this, it's just like the individual events. So I again won't read through all of these, but it's a long list and I think this is probably not an exhaustive list. There are probably other examples too that we have that could come across and look to. I will note specifically as far as the years goes we have a data use agreement with the federal government that also strictly governs how we can release Medicare data. A lot of that is related to the Federal Privacy Act and we also have a memorandum of understanding I believe with DEMA as far as Medicaid data goes that places similar restrictions on how we can release the data. So those are two other things that really govern and apply and how we think to releasing information. So I think at this point, unless there are specific questions, I think we'd like to open it up to discussion. I think at least from my reading of it the Public Records Act laws are not really a clean fit and we've come to talk about releasing data from our APCDs for a whole bunch of reasons. I think technology is one reason so when we're talking about creating records we're talking about the expense of compiling records and those kinds of things those things come up. And obviously the Public Records Act analysis is very different than our DMA process analysis. At the end of that those would be the comments that I would make and I think questions obviously we're happy to respond to and more importantly I would like to give feedback. Yeah, do you just the council have enough framework here to just and I think Lynn Bennett we have open discussion around policy and then direct questions as they come up. We really want to hear from us as we look to let's see what discussion we will but one question is do we need to change our statute? I mean these are the types of things that we'd like to hear from so the only other thing I would say too as we've been noodling on this if I've been thinking about this I've obviously been thinking about it as a way for the Remain Care Board I also think about it as somebody who has a record of these databases so that's the other piece of it too is like I have health information in this database about my medical treatment so that's kind of the other context that I want to lay on the table and talk about further. Do you want to start do you want to start Kathy? Yeah, yeah she's on the spot if you don't we can go to talk. Just so much to consider what's in the system that I as a person would not want disclosed I can recall a circumstance that related to patient safety incidents where the Joint Commission wanted information that they kept saying oh it's not patient level it's not patient level but we want to date the time and the place and I'm like in a teeny tiny hospital yeah we know we could know who that person was that happened to so even though it may just be dates I think there are still some nuance that has to be considered. I mean for me as tax commissioner I had to deal with these confidentiality issues a lot you know I would actually did get a phone call from the 5th floor once asking about a case and I couldn't even admit to the 5th floor that there was a tax payer. So you know something had gone around and I just said I can't tell you and it was a funny response where it was obviously somebody powerful in Vermont which I can tell you who it is because it went to Supreme Court in the public record now but it had to do with TV Vancouver and you know shoot against them and this is in the governor's book as he left so the word came back to me well if you can't tell us what's going on you better know it was just but you know it's like John Henry Martin Henry used to be in Calis I was on the Calis school board and we used to every year before the budget process kind of look at the tax department to say Calis Calis doing and that's kind of a backdrop and there was a Texan that lived up on the hill above Mabel Corner who was a millionaire and he paid taxes in Vermont and so every year you could see him until he moved to Texas and then there was this big hole because there was only one of those you know and so at the tax department I think that we had a five identifier limit and you're at eleven I think from our discussions but it is a continuum and I bet you there's somebody out there that even with the eleven constraint could figure something out if they wanted to and what is the liability of the state do we have an absolute requirement to protect somebody's identity under all circumstances or is there a point where we've done due diligence the best we can and beyond that if someone figures out how to untrap the mousetrap then more power to them that's why we have a data governance council Tom I'm glad she didn't put up over your fingers now so I mean and I in addition there are conditions for release where people or entities that were releasing these claims that we'll date it to are agreeing that they're not going to attempt to re-identify that they're not going to publish any information or data that could be identifiable there's a whole host of conditions that they have to attest to before they're able to have access to data yeah so that's I mean I think from my perspective in terms of this I think we have a statutory mandate to use the data and to share the data in responsible and ethical manner so I think we do have to use the data and I do think the legislature contemplated that others perhaps outside the Greenland care board and outside of the state government would be using data as well I think that in terms of absolute requirement and the law would call that strict liability so there's no question about what your intent was it doesn't matter I think that would probably be inconsistent with our statutory mandate to say that it imposed an absolute liability on us but I it doesn't pose a matter of no I think it's inconsistent with the mandate that we share the data because particularly in Vermont it is virtually impossible to share this kind of data and if you put a little bit of effort into it not haven't been able to re-identify at least in certain situations so I think the question then comes in to Susan's point about having a data governance council and the people that govern this data in our office as far as Bud's goes also the Department of Health we have to do our best efforts to protect the information and be responsible with the information and I think that's what directive is in terms of what we have to do and I think that we look at obviously how we collect the information how it is stored but I specifically think about our DUA process and I specifically think about the rule that we're working on for data release I think about the policies and procedures that we've just finalized and I think those collectively are the things that we are doing to try to be a responsible data student and there's a balance and there's certainly a balance yeah and it is a powerful piece of information there's certainly limitations to it but this data is it has a lot of information in there that could inform a lot of stuff that's going on so it is a balance but I think I would say my reading at least is our obligation is to figure out what that balance is obviously a new question and do our best to maintain that in a way that is responsible again Kathy's point I try to think about it sometimes and how do I feel about my data in that database what happens if it's my plate that somebody is trying to read out about and that's kind of what I think usually security and that's what it presents and that's if you have other thoughts and if a thing do go wrong it's the chair that she's talked to about and I have a lot of things going on in the shadows are you aware of any lawsuits brought by individuals or the ACLU because of a breach yeah well I didn't say a breach but the case that kind of came up a few nights is it's a lower Vermont court where the Department of Education sued over some records related to suspensions a lot the fact patterns a bit different but what scared me about it is I think the legal conception of a database in that finding it's only a file cabinet and it was just to be able to pull out the information you need in and produce it where in a complex large database that's just not true so certainly lots of cases brought related to Public Records Act I don't know how many I don't know of any related to data assets specifically but I've kind of been waiting for a test case or any cases where a person's information was leaked or inadvertently disclosed and the patient brought sued or anything like that that's actually happened not in the context of these I think the ABC Council would know if there had been a lawsuit somewhere else I would suspect I think it's also worth just level setting that every piece of data that we have is de-identified and what we're talking about here is somebody who could cobble together like there's always the example of dual school where there's very few people and like something like what Kathy was saying that just I just want to say you know we're not I would just want to clarify the de-identification so the data that we get is de-identified in the general sense it is not de-identified to HIPAA's safe hardware standard so that would be one caveat so the data that's maintained in V-Cures you can't see who the person like they're going to have the person's name I think there's some other direct identifiers excluded but it's not it does not like just pulling the data from V-Cures is not de-identified to HIPAA's safe hardware standards so that would just be one clarification I don't want to make did you have a little I don't think so yeah I have another question have you ever had to retract data from somebody who had given data permission views and then they misused it and I think that's largely due to a rather stringent standards historically for its release so that it's largely been research academic institutions so I think that's another reason why this is poignant as we think about expanding its use and just how to be continue to manage that balance through that process and we also do follow up too in terms of like okay your database agreement has expired you got some of the data back to us or destroy it that kind of thing and those kind of instructions we actually also are proactive about keeping in touch with our people so that's another thing that I think we do to your point though about patients that actually happens a lot in terms of HIPAA like health care entities that have patient data I don't know if you guys have ever been subject to a notification from your health care providers and says that your data was accessed so that's under HIPAA those health care providers are required to notify somebody when that happens and there are lawsuits and companies get fined both and they're subject to liability to the patient but also you know the government can go in and find health care institutions because the government can go in and look at audits and those kinds of things so in the context of enforcing HIPAA yeah it does happen and the devious restrictions or requirements related to if there's a breach and I think we had one that wasn't really a breach reported I remember the Brian Martin Friday afternoon but it wasn't it didn't actually yeah it didn't end up being a breach but it was yeah yeah yeah yeah yeah but you know enough to raise palpitations yeah Sarah I didn't mention earlier we got you to call thanks guys thanks for being here so should we keep going people I would love to hear more comments I was listening for what is the action here what's the vulnerability that we're talking about I feel like the statute covers it in some ways but wondering how onerous are the public record requests that are being fielded by the board for release through that means and then I loved the triangle and the arrows of how can we get to what are the actions that we need to take to make sure that we can release public use files and be more transparent while still going back to our first priority of protecting people's privacy in that along the lines that has been discussed so I can chime in on this too I think in terms of public use files particularly with B-Curse data I think it is a long-term hope that we will get something in the form of analytic files that are generally being produced by the board that can be accessed perhaps more easily in the DUA analysis that we do or maybe in the less strict DUA like you can do you not to make sure I'm going along the numbers of the public are looking for APCD data under public records act requests it's because they want to answer a question and we're hoping and anticipating that we will be able to establish a set of analytic files that can answer a broad spectrum of questions to resolve that for public generally and that I will say it's easier to use it's easier to navigate I think that what most of us tend to fail to understand is how complex the B-Curse database really is and how hard it is to navigate and how challenging it would be even if it were to be released to you to get anything from it we don't get a lot of requests but we do sometimes from time to time sometimes we're able to address the questions either by saying it's a lot more complex than you think it is sometimes by saying we actually have created an analytic file that might answer your question or that sort of thing or access the data through a data use agreement and here's the way in which here's the process that you would follow and here are the reasons why we have that in place for availability and release but also for competent channel protection but in the course of navigating through records requests that come in from time to time and looking at coming up and revising the data release rule it occurs to us that the statute is clear enough for us to be able to say we have a certain number of exemptions but it's not as explicit as the model legislation that's provided to us by the national organizations that support APCDs and the research in how other states address it, there are other approaches that we might consider and we might not consider changing the statute but we've opened up the the rule revision, maybe there's an opportunity there and I guess from my perspective thinking about this I had mentioned previously that there are a lot of reasons why the APCD context does not fit clearly into the public records release analysis I think that the complexity of the data and expertise that you need to have to actually use and understand the raw data in that database is one I think that the fact that the public records analysis specifically states that we do not look at who's requesting the data and the intent of the data I think that's inconsistent with the policy procedures we have been really thinking about and trying to ensure and enforce I think it's also inconsistent to a certain extent with patient privacy protections because the other like touchstone that I think about this in terms of the analogy that I make on the personal level is that like we don't have state hospitals here but I think San Francisco San Francisco General Hospital is the county hospital I'm not sure that I'm comfortable with the concept of somebody being able to go in and ask for the billing information my billing records there and they're going to redact my name and they're going to redact the date of birth but it's not information that is conceptually something that we think other people should have access to so also being congruent of the public records act to the policies that we've built in the DUA and the needs of the data that we've built around the region that's what I'm, this has been great this has been super helpful I don't know if that gives you an action like what we're going to do about this action I don't know, yeah that confirms what my instincts are on all this I just wanted to know if there are specific needs to change statute that are being contemplated behind this discussion because my mind goes to it's the rule that really is the place where some of those details are more appropriately that's helpful to hear just given the owner's nature of going through changing statute but maybe I was ignorant to something that is why I gasped no and I think that's part of what we wanted to hear is your guys' feedback in terms of how you view that balance because obviously transparency is very important to us in terms of what we do as a board and as a state and public records acts and openness of meanings that's also a really important concept but I think we wanted to hear kind of just a reaction when we look at it in the context of this data for me at least it's felt a little squidgy I think we wanted to hear your guys' thoughts too a few thoughts I'm not sure they're at all connected totally okay not sure the presentation was either the first is the ownership of this data we're talking about a public record but we're also talking about individuals personal medical records, procedures experience, diagnoses there's a lot of really personal stuff in the details but is it state-owned data or is it still owned by the person who had that diagnosis was made or that procedure was done or blue crops for example or or is it the insurer, the payer so that's just kind of a thought I'm not sure how it ties into whether it be a statutory fix or a regulatory fix but if we tie ours to HIPAA what are the recommendations around or what has been the experience with some of the education education data like around FERPA protections are there any parallels there that could inform how you may want to strengthen protections around B-Cures data and how we respond with a request request for access or the public record request a good question I think it would be yeah it's a good idea a really good idea yeah and then finally I'm thinking I can't remember the DUA agreements for accessing B-Cures or even individual access or individual user access agreements does it have that minimal cell size identified? so that's another safeguard especially as we think about potentially to at least an identified stage of B-Cures if that's something that we ever want to consider as well as the linkage then that the linkage increases the likelihood that you would be inadvertently able to identify someone but that minimal cell size is critical but if it's our I know it's a Medicare or CMS requirement but I don't know I didn't know if we had extended it across all Medicaid and commercial data education has worked out some of those dynamics in thinking about rural or smaller schools that dynamic and how that plays I know has been addressed I can't remember exactly how they did I think it's 11 and then a larger like 30 size for grouping there is something to learn there thank you that's a really I'm just looking at the time I want to make sure that we have we have some members of the public here I want to make sure they comment I also want to hear public comment so if the council is good just one in all I have an idea if you're familiar with HRQ online database searchable kind of thing just as a practical option I know that's a whole other project to stand that up but people can self-service answer questions without actually getting a data file just getting answers to their questions thank you one quick example that was amazing to me was the conversion the student count and education to equalize pupils which is going to AHS and that is not public information because the conversion has to do with people in which the second language and then probably free and reduced lunch and when you get down to a small school you can begin to kind of unwind that data and begin to figure out what to do so I had a chance to ask that I did at one point in time in terms of kind of a fix is that a possibility that during an active data use agreement when you have your X access to the V-Cures dataset you are now concluded that time frame from access to other datasets census tract data I can't even think of everything that could be out there to prevent that covalence together and where would that coordinating point be I know currently in our data use agreement at least I'm fairly sure about this and Kate confirmed that we do have a prohibition on the Gage so part of a break of data use for this that you're not going to attempt to link this to other databases yes that's correct it's either in the application itself that is the question for approval or it's written in the language but yeah you cannot link datasets together unless you specifically request that and there's an application process for data leakage and so that's obviously a concept we've been exploring too is perhaps opening that up a little bit more thinking about it being more broad about that so I think right now as part of the agreement that you're not going to try to re-identify this information you also don't get to link it unless we know what's going on and all of that so I mean I can so I think there is that piece in place but you know I also just generally I don't necessarily know that you need to link it to I mean because this is a small state and when we get down to county level information we get down to town level information when you're talking about somebody who's you know town of 400 somebody who was 45 who had a broken arm a month ago because they fell off a horse like not in that town not in that town it's not hard in a small population to think about that without really trying so yes we do try to take the steps and I don't know if that answers your question or not but you know yeah I'm just thinking in terms of like hard steps there's the attestation but another barrier that is from our example taking away the and I don't know enough about the technical piece of linkage to know like if there's a way that we can stop what just prevent it from being linked technically I don't I don't know how that process happens that's probably a center of question maybe a very big question I mean I'm thinking of our experience with on point and we work with multiple data sets and view cures and we may see a cell size within our group who have signed that after David's and I use and so we'll say that that's a cell size less than 11 but when we make a public all of those cells are blinded okay so it's as long as it's not in the public sphere but it's within those people who have signed all the agreements then seeing that maybe that one off and that's that's an important distinction to make too is sometimes the statute as well they say making it publicly available well does that mean we release the data to anybody like any time we release the data is that making it publicly available even if it's an open view situation for a particular user you know that that's something to think about too versus making it a public use file I guess something that frequently asked questions is there a way to produce a document or access points that people could go to where we have the control of what's in there and and that's public and here this is okay do you mean in terms of like the limited space level data? is there a way to have enough I guess what I'm trying to also do is kind of satiate the need to request so it would hopefully take away some of the requests public records requests make controlled information you know this is vetted for posting publicly but it is a little bit out there isn't that the public access file that we're talking about I would think that's a public use file and I think at this point we do not have public use files that we put together for vcures we are working on that yes this is in process it's not that we have to be available already but I know that is in the future these are part of the plan that we are working on as far as sharing the information so I think we should open up and I'm looking at my clock here because I have another call at 3.30 I can go over obviously this was my first call but I do want to make sure the public has some time to weigh in does anyone from the public have any comments so as we're looking at other substantive areas I was thinking some agent the federal regs around the public use micro data samples might be somewhat useful and I pooms out of University of Minnesota I know they it's an online tool to use the micro data sample and I get a lot of policy notifications from them about changes in the federal regs and they seem to be really trying to balance this issue of useful for academics versus privacy so maybe I pooms is a good thing to look at it's also really nifty yes like Sarah has it too you nailed her with that all right yeah I would be curious to look at it too shoot that over I would just say I'd have to go back to the enabling statute I just would remind even I'm sure you're well aware that in addition to HIPAA there are the 42 C2 far part 2 restrictions as well to the extent that any information is created a part 2 facility there's additional requirements or something I think we can rush the discussion I just wanted to make sure that there was time for the public comment so I would say next steps we I mean there are a couple of specific things that I was going to look into just follow up and then I think um maybe at the next meeting you can provide an update on where we are with the rule and maybe where any of this is going any of the discussion today would be added does that make sense absolutely and I know in terms of our in terms of our thank you everybody it really was a very helpful discussion it was a great discussion really so and are you going to talk about the analytics page or are we going to put that up that was number 5 and then we are going to talk about upcoming meetings I think we have to talk about upcoming meetings and call it a day um but what I had wanted to do which is not entirely necessary for me to do because I know that this is something that at your leisure you can do on your own and I also provided you a little bit of a trail of bread crumbs in your in your packet if time allowed I thought it would be fun to do a little walkthrough of the data and analytics web pages that we have as a subset of the Green Mountain Care Board website because there's what I think of is a wealth of information on there and it's kind of an iterative process in which we update it and improve it we make little changes as we're able as opposed to like a whole re-launch of a brand new kind of website sort of thing but over the last six to eight months we have made a number of changes and added a lot of information on there so peruse it and let me know what you think if it brings up questions for you if you think there is information that you don't see that you might like to see there if anything looks conflicting or confusing or building links or anything like that just let me know but there's a section for the data governance and stewardship program under which all of the DUAs are linked as well as the application that's associated with that DUA because it's really in the application where you get the details about the projects and then in the vCures subsection we've worked on documentation there's a quick and easy vCures capabilities document like what you can do with vCures what you really it's challenging to do try to do with vCures and there's an overview document that goes into some more detail about what vCures is and is not so and then a whole section with analytic reports that we continue to add to so as we create reports and visualizations of data we are posting it there so please take a look can I put a plug into analytic reports saying that they're on hospital budgets at this point ACO they're working interactive visualization they're working on an ACO one so these are really valuable is that it? I think they're all and the expenditure analysis is also in there but I think they were presented at a board meeting the information I do think that the visualization the total cost of care was for sure it was excellent yeah so it's testament to Sarah Lindberg and the work that she's done and Kevin Mullen the chair of the board who's made data a high priority so congratulations on the great work and Pedro Neal for cleaning up the vCures website so I won't spend any more time on that but just to wrap up this meeting we have sort of three issues on deck for discussion at these council meetings and one of them as you know is the rule revision so that is in progress and this conversation is kind of a precursor to looking at the data release rule and Lynn is queuing that up for an upcoming meeting the other topic area is the Bud's data set the hospital discharge data set we mention it and it comes up from time to time but we don't really spend time looking at it and thinking about it and understanding it and talking about the issues around that so we would like to do that at an upcoming meeting and then the other one is around data linkage so it came up today we would like to have a broader policy discussion around data linkage so what kind of linkage requests come in what does it really mean what are the implications of that and we as staff would like some guidance from the council around what's acceptable to you in terms of data linkage you know a direction that we might want to go in and keep it really tight or loosen that up for more robust research that kind of thing so saying that we already have a meeting scheduled for August 6th and we have then the next meeting would be October 1st we're already into October believe it or not but I would like to propose that we add a September meeting so that we can tackle these three topics right you know one right after the other and get them moving along what I'm proposing is to add a meeting on September 10th I would like to know if that is acceptable to the council I literally just send the deposit so normally we'd be on the 1st to say that happens to be the day after but you tell me if adding the meeting on September is acceptable so we need to get through these really needy issues as opposed to all of a sudden now like three topics, three meetings we're now into December really it's fine I think it's a good time I think the 1st because September is probably it's just crazy at both maybe yeah there's certainly no possibility we have another meeting October 1st yeah I'm fine and I can get feedback so is adding a September meeting acceptable and then can we just say that maybe September 10th is tentative but I'll look to see if maybe working with you I can find another meeting that works for all I mean a meeting time yeah they are yeah anything else from the council any other business you want to bring up I I I second thank you thank you thank you