 Good afternoon and welcome to the Green Mountain Care Board. My name is Kevin Mullen, Chair of the Board and we're about to start the meeting. The first item on the agenda is the Executive Director's Report, Susan Barrett. Thank you, Mr. Chair. Good afternoon. I have an update on the scheduling for the rest of this month. So next week we have a to be determined board meeting. So we will update our schedule as soon as it's decided on whether we will have a meeting or not. At this point, we don't have anything on the agenda, but that could change. So that's TBD. Our May board schedule will be published very shortly. We're finishing up the details on that. So expect to see that out in the next several days or so. And then I just wanted to announce as I have been for the last several weeks and several months that we are conducting ongoing public comment on the potential next agreement with CMMI for an all payer model. As background, the board had presentations to both its primary care advisory group as well as its general advisory. We have asked the Director of Healthcare Reform to present some information to both of those groups. We asked both of those groups for some written comments which we received. We have shared those comments obviously with the board and with our partners at AHS and the governor's office as they will be taking the lead on a next agreement design. And that is all I have to report out. Thank you very much, Susan. The next item on the agenda are the minutes of Wednesday, April 14th. Is there a motion? So moved. Second. It's been moved by Maureen and seconded by Tom to approve the minutes of Wednesday, April 14th without any additions, deletions, or corrections. Is there any discussion? We're gonna educate the user that we're now calling us up. You're trying to be stubborn. Hearing none, all those in favor of the motion signify by saying aye. Aye. Aye. It was opposed, signify by saying nay. And if I could just ask people that are not speaking to mute themselves so that we don't have the feedback, that would be great. So the first item on the, well, the next item on the agenda is a discussion of the data governance council. And I'm gonna turn the meeting over to Kate O'Neill. Kate, take it away whenever you're ready. Thank you, Chair McMillan. Yeah, I would like to just sort of kick us off today with a brief introduction to the data governance council and the data governance council members. So if you could move to slide two, yep, the, thank you. The data governance council is a committee of the board which oversees data stewardship and governance for the board in four main areas. Risk management, data quality, program sustainability, and data release. And within those four main areas of concern, the data governance council does its work. The council meets on an every other month schedule and those meetings are published on the website and their public meetings. And according to its charter, the data governance council has defined roles for membership and currently we have seven members. So I'm just gonna go through who those members are for you just to set us up for today. So from the Green Mountain Care Board, Susan Barrett serves as council chair and board member Tom Pelham is the designated board member for the council. And the other staff member that we have on our council is Elena Barabe. She's our executive level staff member designated by the council chair to sit on the council. And Elena, as you know, is the director of health systems policy here at the Green Mountain Care Board. Now those are the three council members from the Green Mountain Care Board. And additionally, the charter that we have for the council instructs that we must have at least one voting member from other Vermont state agencies or entities outside of state government who may be data contributors, data users, technical experts or policy leaders to share their expertise and to ensure diversity of viewpoints. So currently on our council, we have four such members. And while I think, you know, these folks, I just wanna give them a little introduction here and you'll see how their experiences and expertise make contributions to the work of the council. So first is Catherine Fulton. She's the executive director of the Vermont program for quality and healthcare. And she's a certified professional in healthcare quality from the National Association of Healthcare Quality, or NHQ. Cathy brings over 40 years of quality and patient safety experience and a variety of healthcare settings through her role as the executive director there. VPQ partners extensively with the Green Mountain Care Board also with the Vermont Department of Health and multiple statewide partners on a range of projects related to quality, patient safety and health outcomes. We also have Larry Sharf. He's the manager of informatics at Bi-State Primary Care where he handles the analysis of healthcare data. And he manages the technical aspects of assembling clinical data from member EHR systems as well as claims data from insurers. When using those data, Larry provides analytic services to support Bi-State members, quality improvement initiatives and utilization measurement. Prior to joining Bi-State, he worked for Vermont Information Technology Leaders first in project implementation and subsequently as director of information services. And before vital, he was data analyst for VAAS, the hospital association, managing hospital discharge data program and conducting data analysis. And then Mary Kate Mulman currently serves as health services researcher at the Vermont Blueprint for Health where she leads overall program evaluation and assessment of the impact of blueprint initiatives on healthcare costs, utilization rates and quality outcomes for Vermont residents. Prior to this current position, Mary Kate served as director of healthcare reform for the state of Vermont where she advised the governor on federal and state healthcare related initiatives and legislation, oversaw the coordination of healthcare system reform efforts among the executive branch agencies, departments and the Green Mountain Care Board and led the development of the governor's healthcare reform priorities and initiatives. And the seventh member is Helen Reed. And Helen Reed currently serves as the division director of health surveillance at the Vermont Department of Health, which involves oversight of health statistics, epidemiology, infectious disease and public health laboratory programs. And then prior to serving the state of Vermont, Helen worked as chief operations officer at the Arkansas Center for Health Improvement at the University of Arkansas. And that center is an independent think tank for health policy, including helping to construct Arkansas's Medicaid expansion program. So it's my pleasure to share with you these seven members of the Data Governance Council. It really is an honor and a pleasure to work with this committee. Their expertise and their experience that they bring to the council has allowed us to tackle some pretty important concerns for our valuable data assets. And I know that Susan wants to share a little bit with you about some of the council's work over the last little bit of time. So I wanna make sure that I give Susan a chance to share her thoughts about the council. So I'm gonna turn it over to you, Susan. Great, thank you so much, Kate. Is there an echo? Is that better? Is that okay? Yeah, sounds good to me. And I just wanna start by thanking Kate O'Neill for all the work that she does to support the council. One of the reasons why it runs so well is because Kate is so organized and make sure that we are very prepared for every meeting and every decision we need to make. So among other things she does at the Green Mountain Care Board, thank you for your support for the data governance council, Kate. So I just had a few comments really and just kind of giving the board and the public a little more flavor for what we do at the data governance council. By way of history, the data governance council has been active in this form, in this iteration since 2018 and under this current charter. The boards council really has looked at as a data governance council has looked at as an example of how to do data governance right in the state. It's not an easy thing to do. It took us several years of planning and we had one iteration of the data governance council that we worked through back in like 2015, 16, but then when we relaunched it in this form it really has really hit its stride. And many other state agencies look to the board's data governance council as an example of how to do data governance. I also want to just point out that at all of our meetings because the council is a part of the Green Mountain Care Board all of our meetings are public and these public meetings provide an opportunity for public engagement from the general public but also from payers and data submitters, data users and of course the healthcare advocate. And what I find is that their input all of these folks input into our decisions and our discussions makes our decisions and the work we do better. Everyone's coming from a different I guess viewpoint but listening and taking in their input I feel makes our decisions stronger and better. In addition to data release discussions and approvals the data governance council has also held discussions and created guidance for several program efforts and I'm just gonna take these off for you. Supporting private industry use of Green Mountain Care Board's data assets to drive innovation, reforming the data users group and advanced technical users group, exploring fee structures for data release, providing support and guidance for the data teams enhanced data validation projects and aligning with industry standards for security. And last just to sum up just to also give you a little more flavor of what the data governance council does recent examples of decisions that the council has had made are we created and approved data stewardship principles and policies. We created and approved a data linkage policy which was a lot of work by those stakeholders, the council members and staff but I think it's a model that can be built on. Updates to public use files and limited release criteria and available elements and then data release application determinations as I said, we do that as well. And then last but certainly not least and it's gonna lead us into our next discussion is rule revision drafting. And when we hear from Russ McCracken, you all at the Green Mountain Care Board will vote to move this work to its next level which would be through the proper and the formal rule making process at the legislature but I don't wanna steal Russ's thunder, he'll get into all of those juicy details next. So any questions, I don't wanna labor this and take up too much time but just any general questions from the board that you might have for us before we turn it over? I never thought data could really be this much fun but it is. Susan, I'll ask you a quick question. There's non-state entities that use some of the data like VCURES and other datasets and I'm just wondering, is there a requirement that the investigators, the PIs that are using the data that get permission to use the data, share their findings using Vermont data and is there a repository where some of those findings go? Has it had impact? Can we access some of these and learn from some of these projects? Yes, and if I'm out of a line here, I'll get a nod from Kate O'Neill. Yes, there is. There is, I believe they are located on our website if they are being shared. One thing, and we'll double-check on that, Jess, it's actually a really good idea to have them all together so folks can use that as a resource. I know one example that comes to mind that I thought was really fascinating is a few years ago, we heard from, I know I can't think of the name of the company down in- Was it RTI International? Yes, thank you. I knew it was like, I kept thinking of trying. RTI International that looked at weaning opioids from patients and whether they were, whether doing that too fast could impact the health of the patients and that information I thought was fascinating. That's a good example of a use of the data. But Kate, do you wanna expound more on where folks can find this data because I think it's a great question, Jess, thanks. Yes, and in fact, we did invite RTI International to a board meeting to present their findings. So any entities, state or non-state using vCURIS data needs to send their proposed publication through a pre-publication review process. And so we on the data team get to see how they're using the data. It's a technical review, so we make sure we make sure that they are also sharing that the findings are their findings and not the Green Mountain Care Board's findings because they're using our data. But we do do a technical review just to make sure that it meets with a list of criteria that they must comply with. And then when their publications are published, we post a link on our website. Now, it may not have everything. So I'll take that back. And as a reminder that we do keep a link to publications using vCURIS and do a little bit of work just to make sure that it's current enough to date. But it's on the website under data and analytics in the reports section. One thing is if it doesn't get published, does it get lost forever? You know what I mean? If it's somehow used internally in some other organization and doesn't end up being published, but could be informative to the Board's work or other state entities that want more information from vCURIS, it might be helpful to track everything, all the projects whether published or not. Right, what we don't do is request the analyses that they did. We look at publication and ensure that anything getting pushed out to public meets our criteria. But yeah, there isn't a requirement that the analyses that they conduct or the data that they're using in particular is then returned to us or used by us in any way. Great question. But I like that, I like that thought and we'll take that back and there might be an interesting discussion around the council on how we might engage a little bit more. We are doing that when it's requested by the council to do so with archway health advisors, which is an external user of our data. We do have an agreement with them, which is something similar to what we're talking about. Having it all in one thing, I like it too. I know it's all on the website, but we'll just make sure it's really easy to find. And our website on the data governance and our data website in general, I find very easy to navigate. Thanks also to Kate. Great. So should we, I'll turn it back to you, Mr. Chair or to Kate. I don't know who is next. Are you done, Kate? Yeah, we're moving on to the agenda, yeah. Great. So I think since they're all interrelated, we could have one public comment period. So if Kate, if you could hang around, that would be great. Oh yeah. Kate Russ. Great, thank you, Mr. Chair. Thanks, Susan and thank you, Kate. I am going to present two new rules regarding data submission and data release for consideration by the board. I want to give a little bit of an introduction and background on these rules and what the motivation is for engaging in this rulemaking. Want to talk a little bit about the recent history. I think there's some longer history, but just focusing on the most recent actions that we've taken in terms of preparing these rules, look through the next steps. As Susan said, we're teaming this up for putting it into the formal rulemaking process and then walk through the specific terms of the two rules. And Chair Mullen, let me know if you have a preference. There are two rules here. I'm happy to pause after the data submission rule for discussion and questions, or I can present both and have a longer period for any discussion and question at the end. Why don't you go ahead and present them both Russ? Sounds good. Great. So the board stewards two data sets, V-Cures and Buds. Currently with respect to V-Cures, we operate under an old Bishka rule from 2008. That rule is very detailed, it's very long, it's very specific, and it doesn't provide a lot of flexibility for changes in technology, changes in kind of the specifics or the technical reporting aspects. And those are important features for the board and the data governance council to have to be a good steward for the data sets. The situation with Buds is a little bit different. I understand it operates, the terms of that are not in a rule, but under a contract that the hospitals are not a party to but have agreed to. So our goal here is to bring both V-Cures and Buds submission rules into one rule and the disclosures into one rule. Accompanying both rules are submission manuals for each data set and disclosure manuals for each data set. And those manuals provide a lot of these specifics, a lot of the technical information. And as I'll discuss going through the rule, they can be updated by the data governance council without going through a full rulemaking process. So it provides a lot more flexibility for the board to kind of adapt to changing needs with respect to the data sets. So staff has been developing and engaging in informal rulemaking process. I should say staff and the data governance council for both the data submission and data disclosure rules for a while. The recent history is on February 2nd, the data governance council voted in support of both of the draft rules, supporting the presenting the rules to the board for consideration and request for approval to put both into the formal statutory rulemaking process. The draft rules have been posted to the board's website. And in addition in February, we did some targeted stakeholder outreach, sending the draft rules and disclosure manuals to FUD submitters, VCURS, payers and submitters, our vendor, certain particular users of the VCURS data. And we received some thorough and helpful comments from ONPOINT, the board's vendor for the data sets. And we've incorporated a lot of those comments into the revised rules that were circulated to the board. The process looking forward, our request for today is to provide our request for today is for the board to consider approval of the rules to put them into the formal rulemaking process. There's a prefiling requirement with ICAR, the rules are then filed with the Secretary of State for publication. There is a comment period that goes along with that. Tentatively my suggestion was that we would come back to the board then for a subsequent vote for approval of the final rules, reflecting any changes or comments that were received in that comment period and also to provide an additional opportunity for public comments on the rules to the extent that they hadn't been submitted already. If the board then approves the final rules, they go back for publication with Secretary of State, review by LCAR. If there were material changes, we may then come back to the board for a final vote for the final approved rules. It's a several month process. And what we're looking for today is to kind of kick off that get moved from this informal rulemaking and development into the formal process. So I'll start with our draft rule eight, which is the data submission rule. There's a couple of statutes that we draw on for the authority for this rule. 18 VSA 9375 says the board must collect and review data from ambulatory surgery centers and psychiatric hospitals. The main statute 18 VSA 9410 for the data sets requires the board to establish and maintain unified healthcare database and requires submitters to submit data to that database. Additionally, I'll note we have hospital budget statutes that require some submission of data from hospitals. The way that rule eight is organized is by V-Cures and then Buds. So section 8.2 addresses the V-Cures registration and the submission requirements for V-Cures health insurers have to submit, have to register rather, each year by December 31st, and provide some information about their business and what data they're submitting or are required to submit to V-Cures. And then we have mandatory within that, within the health insurers, there are mandatory submitters and voluntary submitters. A mandatory submitter is a health insurer with an average of 200 or more members in each month of the last calendar year. Who are Vermont residents. Any health insurer who insures a fewer Vermont residents than that is considered a voluntary submitter. They're not required to submit data, but they're encouraged to submit data under the rule. We included a quick note here that the rule doesn't explicitly exclude self-insurer, exclude self-insured plan data, even though that is self-insured plans regulated under, Orissa are not required under the GOBE decision to submit data, but we think that that's covered in the statute which defines a health insurer as to include self-insured healthcare plans to the extent permitted under federal law. And the rule here establishes some basic requirements for submission, how the data is transmitted, some basic file testing requirements, a basic procedure for rejection and resubmission of data, the replacement of data and some general reporting frequency. Requirements, the more specific and technical requirements for the submissions, including the data elements, data coding and all that is gonna be set out in the reporting manual. And that's gonna provide some more flexibility to the board and to the data governance council to make changes, development and revise any technical requirements or reporting fields without going through whole rulemaking process to revise the rule. Voluntary submitters are encouraged to follow the data submission requirements, mandatory submitters must follow the requirements. And then we have a parallel provision for bud submissions VUDS mandatory submitters at General Hospital, Psychiatric Hospital and ambulatory surgery centers in Vermont. Those categories are all defined in statute and the rule pulls those definitions in from the statute. A VUDS submitter has to submit inpatient discharge data, outpatient procedure and service data, emergency department data and some other financial scope of service, volume and utilization data. And the times for reporting and again some of the technical and specific reporting requirements are captured in the VUDS reporting manual. Now, because one of the big changes we're making here is to take a lot of the specifics out of a rule and put them into a manual, which is something that the data governance council has more control over. We have a provision here that the data governance council has to follow to make any changes to one of those manuals. So if the council wants to make changes to a manual, those proposed changes have to be circulated to the affected submitters. There's a 30 day comment period for submitters to review and provide any feedback on the proposed change. After that 30 day period, the data governance council will hold a meeting and consider the change to the manual. They'll vote at that meeting to approve it. If it's approved, that change will go into effect 90 days following the meeting and the approval. Now, if that time period is an issue, a submitter can request a reasonable extension for good cause. We don't define what good cause is. And so we'd have to, the governance council would, data governance council would have to evaluate each particular circumstance based on the facts and the issue that the submitter identified. If the council denies a request for an extension, the submitter kind of feel that to the board, the board for review and consideration. The data governance council is not authorized under the rule to waive provisions of the rule, but the board is consistent with other, consistent with other rules, the board can grant a waiver for unnecessary hardship, delay, or injustice. So there is some flexibility for the board to consider issues if they came up. I'm not aware of this having been an issue in the past, but that's the process that we've proposed to address your concerns around changes in the manuals. So I will, before I shift gears over to the data release rule, Kate, anything I forgot to add, do you think I should throw in anything that should be corrected? Yep, no, I think you're good. Great. So the authority in the legal context on the data release rule is that 18 BSA 9410, which directs the board to maintain a unified healthcare database, also directs the board to make that data available to support analysis of healthcare utilization, expenditures, and performance in Vermont. So it's important part of the board in the data governance council's stewardship of the data that it's collected, but also that it's made available to further the statutory goals of the board. There are, in some ways, the data releases is a little bit more complicated because there are some other laws that come into play when we're dealing with healthcare data. For example, HIPAA, and even though the board is not a covered entity under HIPAA, the board does follow HIPAA on issues of data release, and it's specifically referred to in section in 18 BSA 9410 that release of the data and the authorized sharing of the data by the board has to be allowed by HIPAA and any healthcare data that's subject to HIPAA is governed exclusively by the applicable federal regulations for HIPAA. And I also wanted to note here that in section 9410 that notwithstanding any disclosure that may be permitted by HIPAA, Vermont law separately prohibits the board from releasing direct personal identifiers in any information. That would include names, street address, email, phone number, social security number. So there's a robust statutory regime around the protection of personal information. And there's some other laws that may be implicated as well. Anti-trust concerns, for example, if we're talking about pricing information, certain pricing information, there are other sensitivities that we're always aware of. Let's see, I also want to note that 9410 requires the board to adopt a confidentiality code to ensure that the information is submitted and handled in an ethical way. And lastly, if the board has data use agreements with CMS and DEVA specifically covering Medicare and Medicaid information and the terms of those agreements, the board has to make sure we're complying within the disclosure of any information from the data sets. So going through the terms of the rule, the rule generally classifies information into three categories, and this is consistent with how the Bishka-Veekers rule classifies data as well. It's going to be considered either unrestricted, restricted or unavailable. Unrestricted data is information that could be shared publicly and could just be generally released by the board and post on our website without any limitation or data use agreement in place. The other end of the spectrum is unavailable information and that's data that will not be released outside of the board under any circumstances. And then most of the information is between those two and it's considered restricted, which is information that the board may release subject to an application by a party and entering into a data use agreement that protects the confidentiality and the use of that information. And like I said, that's generally consistent with the current framework for data. The rule says the rule allows the board to specify additional restrictions or limitations in the data use and disclosure manuals. And the rule also refers to a form of a data use agreement maintained by the board by not putting all of that detail and those forms into the rule. We maintain some flexibility to adjust and adopt the DUAs and additional restrictions or limitations to changing circumstances. Let's see. Section 9202 addresses the modes of access and the secure analytic environment. And it says people when the board grants access to the data that access can be granted through a data extract or access to the data directly through a secure analytic environment. There's a secure portal where a user can access the data set. My understanding is that only state users currently use the secure analytic environment or are set up to use it, but that's something that could change in the future and Kate can correct me if that's wrong. But it- That is correct. But in the future, the rule would allow non-state users to access vCures data and do that same secure portal. We have a provision in here regarding the use of and release of public use data. It says if it's beneficial to the public, usable and technically feasible, then the board can publish unrestricted data elements and information that's derived from unrestricted data elements in data use data files. Analytic tables are standard reports. Analytic tables are files specifically developed to answer or address particular questions. Standard reports may be a regular report that the board might compile from time to time. And to the extent that either of those encompass only unrestricted data, they can be made publicly available under the rule. If that information is made publicly available, the rule specifies that there would be no charge for the public to access them. Either it would be published through the board's website or available upon request or download with no or minimal cost to the user. And any of that public use data would contain a clear and conspicuous explanation of the characteristics of the data, what the data is, the dates of it, anything for the underlying methodology that's needed to understand the report. Basically an explanation that puts the data in the correct context so that it can be understood and reviewed publicly. Any restricted data that a user wants to access is done through an application and then a data use agreement. And the rule addresses the basic parameters of both of these and the disclosure manuals provide a little bit more specifics. So the rule says that a person can access or can request access to datasets or to the secure analytic environment by applying for a limited dataset on the forms maintained by the board and agreeing to the board's data use agreement. I think it's important to note that a limited dataset is defined in the rule by reference to HIPAA as a dataset that excludes direct identifiers like names, telephone number, social security, et cetera. The board may also require submission for a pre-application review form which I believe that we do currently for non-state entities that wanna access the datasets. There are data use and disclosure manuals that Kate has developed and I think they're very thorough and they provide a lot of detail for vCures and Buds and they set out in more detail than the rule the procedures for their view and approval of any application for access to the datasets. And so one example of the detail that's in the disclosure manuals but not pulled into the rule is that they're not pulled into the rule in the same express level of detail is that state applicants and non-state applicants go through a different process and a different procedure for accessing data. A state agency can apply for and be granted a broad use data use agreement which gives them access to, I believe the full dataset whereas a non-state entity has to specify the specific limited dataset that they want and they're only eligible for limited use data use agreement. There are a couple of other procedures that we note in the rule. Sometimes an application will require review and approval by an agency other than the board and the example, current example for that is Diva has to approve any application involving Medicaid data or the disclosure of Medicaid data. And I think the rule is flexible enough to accommodate other, if in the future other situations like that were to arise there would be accommodated under the rule. And so once a potential user submitted an application the rule goes through kind of the broad terms of how that application is reviewed. The Data Governance Council is tasked with approving or denying applications on behalf of the board under the rule and what that means in practice under the Data Governance Council's charter is that the chair of the Data Governance Council is delegated with authority for approving or denying applications. So that goes to Susan for review and consideration. And I should say, and it'd be more correct to say that the Data Governance Council's charter delegates to the chair of the council to approve or refer an application to the full Data Governance Council for further consideration. And so in practice that means a kind of standard non-controversial fairly straightforward application is something that Susan on behalf of the Data Governance Council can approve if it's more complicated nuanced or something that is worth the Data Governance Council in its entirety, taking a look at Susan can refer consideration to the council as well. And then of course, if there's another agency that has to approve an application, then that goes to the other agency. It's not delegated to the council. The Data Governance Council solicits and considers public comment if they have an application that is brought to them. And we have some specific criteria in the rule that the Data Governance Council needs to determine is satisfied that the application is complete signed by the principal investigator and a person with authority to bind the applicant, that they're documented procedures to ensure the confidentiality of patient data or other confidential information that were satisfied with the qualifications of the investigators and the staff that release of the data is not privated by state or federal law regulation and that the data will be used in a way that aligns with the board's statutory responsibilities, federal and state data protection and privacy requirements, and the data stewardship policies adopted by the council. If the council denies an application, it provides a written explanation for the denial to the applicant. The applicant can appeal that decision to the board within 30 days. If the board denies an application, that's a final decision of the board and it's subject to appeal under the statute to the Vermont Supreme Court. The rule also addresses here data use agreements and the actual form of the DUA is something that has been developed. It's there's a standard form for beacons and for vuds that the board has established and uses and can modify outside of the context of the rule or outside of the formal rulemaking process. So DUA is signed by an authorized user and a principal investigator. The DUA sets out restrictions on the use of the data and any further disclosure of the data. And my take is that the standard DUA that we have is fairly stringent and offers a lot of protection against any use outside of authorized use for any data that's disclosed. The way that the data use agreements work here is that any individual who's gonna have access to the data has to sign an individual user affidavit. Essentially acknowledges and confirms that they are aware of the DUA, they've read it and they agreed to the term set out in the DUA. We have a provision in the rule that upon request the board of vendors may provide analytic and information services for members of the public and costs and fees. The rule under the rule, a data set that has restricted data so not the public use data that the board may make generally available but restricted data that a user applies for and is granted access to is made available at the cost that's charged to the user by the board's vendor, so on point. And that cost is paid directly by the applicant, by the user to on point, not to the board. So it's not a revenue generating, it's not a source of revenue to the state. It's a cost charged by the vendor and that applies for either data sets that are provided or access to a secure analytic environment. We also say that analytic tables and information services will be made available at the quote maximum allowable rate, sorry, under law for that information. And that's left in kind of a general way to accommodate any situation in the future if there were a legislative change or some other change that enabled the board to collect fees and charges for preparing and providing analytic tables. There's also authority under the rule for the data governance council to grant a full or partial cost or fee waiver for an applicant that requests it if the requested data is used to fulfill a public purpose and the payment would constitute an undue hardship. And just to note that state agencies don't pay a fee to access the data sets. This is for non-state users. Section nine 501 of the rule addresses data linkage and it generally tracks the data linkage policy that the data governance council has adopted, but it specifically prohibits linking B-cures or Buds data, whether it's restricted or even the public use data with data source containing personally identifiable information or some other data source that would allow the user to essentially link up the data from B-cures or Buds with the personal identities of those people. Section nine 502 addresses data redisclosure and this is similar to the requirement under our DUA, which says that the information is provided only to the entities and the entity that signs the DUA and the individuals who sign the individual user affidavits. If there's a desire or a need from by those users to redisclose the data to other parties, there's a process for them to come in and file a application for redisclosure. And so this section of the rule says that there can be no redisclosure unless the applicant goes through that process and is granted permission by the board or the data governance council. And we put the burden on the principal investigator to make sure that the individual user affidavits are submitted for all data users who would have access to the data before access is granted. Who's the principal investigator, Russ? It would be identified by the applicant as the individual who is their kind of lead contact, but it's somebody who works for the entity that's requesting information. So the rule also includes an enforcement provision, a person who knowingly fails to comply with the requirements of 18 VSA 9410 or the rule may be subject to sanctions. And the way that it's drafted, the rule would include the terms of a DUA. So somebody who has access to the information and assigned a DUA and violates the terms of that DUA is potentially subject to sanctions under this rule. But I think it's also important worth noting that the DUA itself is a contractual agreement that the board can use to enforce and go to court to seek legal or equitable remedies against the user to say stop an unauthorized disclosure of information. And so it's not only, so the board's options for enforcement here are not limited to sanctions, but it's both sanctions under the rule and enforcement of the terms of the DUA. And I will stop there. Yes, I'll check with Kate any add, subtract, correct. No, I'm good. Thank you. Okay, so board members, do you have any questions or comments for Russ and Kate and Susan? I have a couple. Go ahead, Tom. So at the very beginning of slide three, you referenced this 10 year old rule H-2, 2008-01. And I'm wondering if this process is going forward in a way that is going to eliminate that rule so that we don't have a conflicting rule that precedes what we're trying to do here now? Yes, it will. It will revoke it. Even though it's at the, I think you said it's at DFR. It's a Bishka rule. So it, yeah, this, these two rules are designed to replace that rule. So that rule would go. Okay, so that would be part of the language of the filing to LRICAR. The other is on page 20, slide 24, it talks about costs and fees to the vendor from, and I'm just wondering whether or not we feel comfortable that this provision is in accord with bulletin 3.5, where we have the contract with on point, but we're basically letting an entity kind of bypass us and go directly to our contractor. And I don't know if on points rates are published or unpublished or what, but I just would wanna make sure that we're lined up with bulletin 3.5. Yes, I believe that we are. And the, in practice, this isn't about bypassing the Green Mountain Care Board. It's just about paying the vendor directly for the preparation and delivery of file extracts, which they are required to do for a user that we authorize under their contract with us. Okay, and so are their maximum allowable rate, are those in a document that someone can look at? Well, it's actually right in the contract, but it's subject to change. So when we agreed upon finalized the contract between the State of Vermont and our vendor, which is on point health data, they specified the charges for various services like the preparation and delivery of a file extract or for the number of seats and the enclave, that's, it's all laid out in the contract, but with the flexibility that they can adjust those fees through the contract period, I assume that might involve a contract amendment, but they set those fees and they can change. Thank you. Russ, just to follow up on Tom's question, did legal look at rule 3.5 to make sure we're in compliance? Yeah, I can jump in here too, Kevin, if this is Mike Barber. Hi, it's not something that I'm aware of was specifically looked into, but 3.5 addresses kind of the state contracting process and approval, and this doesn't seem to me like it would be addressed in conflict with 3.5, and it's the way that it currently works. It's the way that the Bishka rule was drafted that the fee is paid to the data vendor. So I think that was kind of the basis for what's in there now, but Russ, I don't know if you had anything else to... Yeah, thanks, Mike. It is the process that we currently follow. Happy to go back and take a closer look at the state procurement law in Bolton 3.5 and make sure that we're not stepping outside of that in any way. Super, thank you. Other board members? Yeah, I just had a follow on question on that and just in fees in general, but do we get a record of what fees were charged to by the third party vendor, number one? And number two, to the extent, obviously there's been a lot of costs in putting all this information together. Is there a way to monetize it more for offsetting costs while not prohibiting people to use the data? I can start and I don't answer your question satisfactorily, maybe others can add. So actually the Data Governance Council, I'll start with the second question first. The Data Governance Council has explored and discussed options for a fee structure. We've looked and researched how other states approach this and we have a lot of good information and it's been a very interesting discussion. It ends there as best as I'm able to say because we understand that we're unable to collect fees. So the charges that are involved in any data release just that's collected directly through the vendor so that we're out of the picture and that can't change unless we are able to change that through a fee bill, which I know we have explored from time to time but that's the situation now. On point charges directly, as I said, but the only charge really is that preparation and release of the file and they have a set structure for that and it happens upon release of the data to the authorized user. So there isn't a lot of invoicing and payment happening. It's just that kind of that initial extract fee payment. So we don't collect that information and any kind of reporting. We do know that on point charges the authorized user directly and we have them make that arrangement. Okay, thanks. Hey, can I just add in, you'll probably, you could add into but we are working on data extracts that are, instead of having the whole data set because Maureen, this has come up a lot. Like, why aren't we charging this data? That is one of the goals of having these smaller extracts that are analytic extracts, I would call them, that can be requested and I do believe the goal is to charge for them but we will pursue that a little further. They're not ready for prime time yet. As you can imagine, there would be a lot of hiccups in terms of any thought of quote unquote selling data. There's, as you are, I know are very familiar with. So, Kate, do you have anything or Russ, do you have anything to add to that information? Okay, it's a good question and complicated. Oh yeah, right, what Susan is referencing around the analytic tables and other solutions that we're working on is its primary purpose is about accessibility and so we really do care a lot about trying to help make our data assets more and more easily available to a variety of users. Right now what we're talking about in the way these rules function, it's really about submission of data and then the allowable release of data in a raw data file kind of situation and secure analytic enclave or through an extract, but we are working to develop other ways in which analysts with maybe less capability or less infrastructure might be able to access data and we've come a long way even since this program started and developing data for download that's on our website and our Tableau visualizations to make our data and to make analytics by folks outside of the Green Mountain Care Board a little bit more accessible. So, Kevin, I had a quick question. Fire away, Robin. All right, I was curious if the Data Governance Council had talked about AHS's suggestion that we should be looking to promote the combination of claims and clinical data through vital because it appears to me from the presentation that that would be disallowed by the redisclosure rule which I assume is being driven or the redisclosure part of the rule that I assume is being driven by the statutory prohibition on personal identifiers. But I was just curious if that discussion had happened yet if there was a plan to talk about it or kind of what's going on on that topic. I'll just start and then I think I might turn it over to Mike or Russ in terms of anything in the rule. We do have a data linkage policy, Robin, that we looked at two different data sets, the cancer registry and am I missing? What was the other one, Kate? Do you remember off the top of your head? I'm sorry, it's a foggy day. I'm sorry, statistics? Yes, but we haven't specifically talked about the topic you brought up, Robin, which is I think taking our baby steps here is actually a good way to take those small steps towards a larger data integration. And I'm gonna stop there and let the data people talk more about it because I could be dangerous. Hey, this is Sarah Lindberg, thanks for the question. So yeah, I think everybody is pretty clear that that would be a great opportunity and one that we are interested in pursuing. I think that there is gonna be the exact way that that's gonna work might take a little time, but right now Vital is standing up some collaborative services. And so as part of that, our partners at Diva are already working on linking that clinical data with features and they have approval for that data linkage. And we're exploring ways to expand that. There are some restrictions on the clinical data gathered through the blueprint. Those are the business associate agreements explicitly as written today, prohibit use for regulatory purposes. So we just need to work on trying to make sure that the data sharing elements are all in place and that we can integrate that in as administratively unburdened some way as possible. Does that get to your question, Robin? Yeah, thanks, I think that's, it is a tricky area because of course, we know that in other contexts, not in the context of vCURES, but that there are some types of industries, for example, that routinely collect data sets, recombine them and then use that for example, marketing to physicians, which is something that the state had had a policy about trying to prohibit or trying to move away from. So I was just curious about kind of that balance. So thanks. No problem. Okay, other questions from the board? If not, I'm gonna open it up for the public, for public comments and questions. Is there any public comment? Good afternoon, board. This is Michael Durkin from Blue Cross in the Shield of Vermont. Can you hear me? We can. Okay, thank you. So I just want first and foremost, say that we recognize what is trying to be achieved here and as a general matter support the approach. As I read this rule, I understand there to be the 90 day implementation period with the requirement that test files be sent within 60 days. I think I brought this matter up at the data council meeting as well, but Sarah and others that are closer to it, certainly understand that in our experience, the implementation can get quite complicated, particularly if there's a data element that we don't retain in the ordinary course of business. So while I recognize there's an opportunity to petition for an extension, I would just encourage the board to consider whether these timeframes make sense and maybe expand it out to 180 days with a 90 day test. Thank you. Thank you, Michael. Is there other public comment or question? Russ, do we need to vote on these today or can we do a little bit more homework and take it up at the next meeting? We can take it up at the next meeting if that's the board's preference. There's no deadline that we're going to hit if the board doesn't vote on it today. Do board members wish to make a motion today or would you be more comfortable waiting until possibly we could have a chance to work through the suggestion by Michael Durkin and just confirm that we're in compliance with 3.5? I think if there's no rush, we might as well wait and do that homework. Yeah, it seems like it makes sense to follow through on this. Are you good, Tom and Robin? Yeah. So let's plan on taking this up again at the next meeting and planning to vote at that time. And Kate and Russ, if you could do, try to give us a little bit more background on the issue that Mr. Durkin raised and whether it makes sense or not for that meeting would be great. Absolutely. Okay, is there any other public discussion on data governance? Hearing none, I want to thank Russ and Kate and Susan and Sarah and everybody. I saw that some members of the Data Governance Council patiently sat through the meeting, which is very great. And we thank you for your service on that council. It's important work. So thank you. Is there any old business to come before the board? Is there any new business to come before the board? Is there a motion to adjourn? So moved. Second. It's been moved by Maureen and seconded by Jess to adjourn. All those in favor, signify by saying aye. Aye. Those opposed, signify by saying nay. Thank you everyone and have a great rest of the day. We haven't had snow yet here in Rutland, but we had some sleet. I don't know how you guys are doing in the northern part of the state if you're actually getting snow, but try to stay warm. Yeah. Yeah, coming down hard in Burlington. The death bills are suffering. So much for the early spring. Have a great day, everyone. Take care.