[Federal Register Volume 76, Number 153 (Tuesday, August 9, 2011)]
[Proposed Rules]
[Pages 48769-48776]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-20219]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 170

RIN 0991-AB78


Metadata Standards To Support Nationwide Electronic Health 
Information Exchange

AGENCY: Office of the National Coordinator for Health Information 
Technology, Department of Health and Human Services.

ACTION: Advance notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: Through this advance notice of proposed rulemaking (ANPRM), 
the Office of the National Coordination for Health Information 
Technology (ONC) is soliciting public comments on metadata standards to 
support nationwide electronic health information exchange. We are 
specifically interested in public comments on the following categories 
of metadata recommended by both the HIT Policy Committee and HIT 
Standards Committee: patient identity; provenance; and privacy. We also 
request public comments on any additional metadata categories, metadata 
elements, or metadata syntax that should be considered. The immediate 
scope of this ANPRM is the association of metadata with summary care 
records. More specifically, in the scenario where a patient obtains a 
summary care record from a health care provider's electronic health 
record technology or requests for it to be transmitted to their 
personal health record. Public comment, however, is also welcome on the 
use of metadata relative to other electronic health information 
contexts.

DATES: To be assured consideration, written comments must be received 
at one of the addresses provided below, no later than 5 p.m. on 
September 23, 2011. Similarly, electronic comments must be received by 
Midnight Eastern Time on September 23, 2011 as the Federal Docket 
Management System will not accept comments after this time.

ADDRESSES: Because of staff and resource limitations, we cannot accept 
comments by facsimile (FAX) transmission. You may submit comments, 
identified by RIN 0991- AB78, by any of the following methods (please 
do not submit duplicate comments).
     Federal eRulemaking Portal: Follow the instructions for 
submitting comments. Attachments should be in Microsoft Word or Excel, 
Adobe PDF; however, we prefer Microsoft Word. http://www.regulations.gov.
     Regular, Express, or Overnight Mail: Department of Health 
and Human Services, Office of the National Coordinator for Health 
Information Technology, Attention: Steven Posnack, Hubert H. Humphrey 
Building, Suite 729D, 200 Independence Ave., SW., Washington, DC 20201. 
Please submit one original and two copies.
     Hand Delivery or Courier: Office of the National 
Coordinator for Health Information Technology, Attention: Steven 
Posnack, Hubert H. Humphrey Building, Suite 729D, 200 Independence 
Ave., SW., Washington, DC 20201. Please submit one original and two 
copies. (Because access to the interior of the Hubert H. Humphrey 
Building is not readily available to persons without federal government 
identification, commenters are encouraged to leave their comments in 
the mail drop slots located in the main lobby of the building.)
    Inspection of Public Comments: All comments received before the 
close of the comment period will be available for public inspection, 
including any personally identifiable or confidential business 
information that is included in

[[Page 48770]]

a comment. Please do not include anything in your comment submission 
that you do not wish to share with the general public. Such information 
includes, but is not limited to: a person's social security number; 
date of birth; driver's license number; state identification number or 
foreign country equivalent; passport number; financial account number; 
credit or debit card number; any personal health information; or any 
business information that could be considered to be proprietary. We 
will post all comments received before the close of the comment period 
at http://www.regulations.gov.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov or U.S. Department 
of Health and Human Services, Office of the National Coordinator for 
Health Information Technology, Hubert H. Humphrey Building, Suite 729D, 
200 Independence Ave., SW., Washington, DC 20201 (call ahead to the 
contact listed below to arrange for inspection).

FOR FURTHER INFORMATION CONTACT: Steven Posnack, Director, Federal 
Policy Division, Office of Policy and Planning, Office of the National 
Coordinator for Health Information Technology, 202- 690-7151.

SUPPLEMENTARY INFORMATION:

Acronyms

ANPRM Advance Notice of Proposed Rulemaking
ASTM American Society for Testing and Materials
ARRA American Recovery and Reinvestment Act of 2009
BPPC Basic Patient Privacy Consents
CCR Continuity of Care Record
CDA R2 PCD Clinical Document Architecture Release 2: Patient Consent 
Directives
CDC Centers for Disease Control and Prevention
CDISC Clinical Data Interchange Standards Consortium
CFR Code of Federal Regulations
CMS Centers for Medicare & Medicaid Services
EHR Electronic Health Record
EPAL Enterprise Privacy Authorization Language
EO Executive Order
HIEs Health Information Exchanges
HHS Department of Health and Human Services
HL7 CDA R2 Health Level 7 Clinical Document Architecture Release 2
HL7 V2 Health Level 7 Version 2
HIT Health Information Technology
HITECH Act Health Information Technology for Economic and Clinical 
Health Act
ICD-9 International Classification of Diseases, 9th Revision
ICD-10 International Classification of Diseases, 10th Revision
IHE Integrating the Healthcare Enterprise
IHE XDS Integrating the Healthcare Enterprise Cross Enterprise 
Document Sharing
LOINC Logical Observation Identifiers Names and Codes
NIEM National Information Exchange Model
OID Object Identifier
OMB Office of Management and Budget
OSTP Office of Science and Technology Policy
ONC Office of the National Coordinator for Health Information 
Technology
P3P Platform for Privacy Preferences
PCAST President's Council of Advisors on Science and Technology
PHSA Public Health Service Act
RFI Request for Information
TDE Tagged Data Element
UEL Universal Exchange Language
URI Uniform Resource Identifier
URL Uniform Resource Locator
UUIDs Universally Unique Identifiers
XML eXtensible Markup Language

Table of Contents

I. Background
    A. Legislative History
    B. Regulatory History
    1. Initial Set of Standards, Implementation Specifications, and 
Certification Criteria for Electronic Health Record Technology; 
Interim Final Rule and Final Rule
    2. Revisions to Initial Set of Standards, Implementation 
Specifications, and Certification Criteria for EHR Technology; 
Interim Final Rule
    C. The President's Council of Advisors on Science and Technology 
(PCAST) Report
    1. Request for Information on PCAST Report Recommndations 
Affecting ONC Activities
    2. The PCAST Workgroup
    D. Analysis of Metadata Standards
    1. ONC-Commissioned Analysis
    2. HIT Standards Committee Analysis and Recommendations
II. Metadata Standards Under Consideration
    A. Metadata Standards Discussed and Specific Questions for 
Public Comment
    1. Patient Identity Metadata Standards
    2. Provenance Metadata Standards
    3. Privacy Metadata Standards
    B. Metadata Example
III. Additional Questions

I. Background

A. Legislative History

    The Health Information Technology for Economic and Clinical 
Health (HITECH) Act, Title XIII of Division A and Title IV of 
Division B of the American Recovery and Reinvestment Act of 2009 
(ARRA) (Pub. L. 111-5), was enacted on February 17, 2009. The HITECH 
Act amended the Public Health Service Act (PHSA) and established 
``Title XXX--Health Information Technology and Quality'' to improve 
health care quality, safety, and efficiency through the promotion of 
health information technology (HIT) and the electronic exchange of 
health information. Section 3003(b)(1)(A) of the PHSA states that 
``[t]he HIT Standards Committee shall recommend to the National 
Coordinator standards, implementation specifications, and 
certification criteria described in subsection (a) that have been 
developed, harmonized, or recognized by the HIT Standards Committee. 
* * *'' Section 3003(b)(2) of the PHSA states that ``[t]he HIT 
Standards Committee shall serve as a forum for the participation of 
a broad range of stakeholders to provide input on the development, 
harmonization, and recognition of standards, implementation 
specifications, and certification criteria necessary for the 
development and adoption of a nationwide health information 
technology infrastructure that allows for the electronic use and 
exchange of health information.''
    Section 3001(c)(1)(A) of the PHSA, under ``Duties of the 
National Coordinator,'' states that the National Coordinator shall 
``review and determine whether to endorse each standard, 
implementation specification, and certification criterion for the 
electronic exchange and use of health information that is 
recommended by the HIT Standards Committee under section 3003 for 
purposes of adoption [by the Secretary] under section 3004.''
    Section 3004 of the PHSA identifies a process for the adoption 
of health IT standards, implementation specifications, and 
certification criteria and authorizes the Secretary of Health and 
Human Services (the Secretary) to adopt such standards, 
implementation specifications, and certification criteria. As 
specified in section 3004(a)(1), the Secretary is required, in 
consultation with representatives of other relevant Federal 
agencies, to jointly review standards, implementation 
specifications, and certification criteria endorsed by the National 
Coordinator for Health Information Technology (the National 
Coordinator) under section 3001(c) and subsequently determine 
whether to propose the adoption of any grouping of such standards, 
implementation specifications, or certification criteria. Section 
3004(b)(1) of the PHSA requires the Secretary to adopt an initial 
set of standards, implementation specifications, and certification 
criteria for the areas required for consideration under section 
3002(b)(2)(B) by December 31, 2009 and permits the Secretary to 
adopt the initial set through an interim final rule. Section 
3004(b)(3) of the PHSA directs the Secretary to ``adopt additional 
standards, implementation specifications, and certification criteria 
as necessary and consistent with the schedule'' developed by the HIT 
Standards Committee under section 3003(b)(3) of the PHSA \1\ for the 
assessment of policy recommendations developed by the HIT Policy 
Committee.
---------------------------------------------------------------------------

    \1\ PHSA section 3004(b)(3) incorrectly references section 
3003(b)(2) when referring to the schedule developed by the HIT 
Standards Committee. We have used the correct citation: 3003(b)(3).

---------------------------------------------------------------------------

[[Page 48771]]

B. Regulatory History

1. Initial Set of Standards, Implementation Specifications, and 
Certification Criteria for Electronic Health Record Technology; Interim 
Final Rule and Final Rule

    On January 13, 2010, the Department of Health and Human Services 
(HHS) published in the Federal Register an interim final rule with a 
request for comment, which adopted an initial set of standards, 
implementation specifications, and certification criteria (75 FR 
2014). The certification criteria adopted in that interim final rule 
established the required capabilities and specified the related 
standards and implementation specifications that certified 
electronic health record (EHR) technology would need to include to, 
at a minimum, support the achievement of meaningful use Stage 1 as 
proposed by the Centers for Medicare & Medicaid Services (CMS) for 
eligible professionals and eligible hospitals under the Medicare and 
Medicaid EHR Incentive Programs. For consistency with other 
regulations, hereafter, references to ``eligible hospitals'' shall 
mean eligible hospitals, critical access hospitals, or both, as 
defined in 42 CFR 495.4.
    On July 28, 2010, HHS published in the Federal Register a final 
rule (75 FR 44590) to complete the Secretary's adoption of the 
initial set of standards, implementation specifications, and 
certification criteria, and to more closely align such standards, 
implementation specifications, and certification criteria with final 
meaningful use Stage 1 objectives and measures (the ``Standards and 
Certification Criteria Final Rule''). Complete EHRs and EHR Modules 
are tested and certified according to adopted certification criteria 
to ensure that they have properly implemented adopted standards and 
implementation specifications and otherwise comply with the adopted 
certification criteria.

2. Revisions to Initial Set of Standards, Implementation 
Specifications, and Certification Criteria for EHR Technology; Interim 
Final Rule

    On October 13, 2010, HHS published in the Federal Register an 
interim final rule (75 FR 62686) with a request for comment to 
remove the implementation specifications related to public health 
surveillance from the adopted standard and certification criterion. 
In response to public comment on the interim final rule published on 
January 13, 2010, we adopted in the Standards and Certification 
Criteria Final Rule the following implementation specifications for 
HL7 2.5.1: Public Health Information Network HL7 Version 2.5 Message 
Structure Specification for National Condition Reporting Final 
Version 1.0 and the Errata and Clarifications National Notification 
Message Structural Specification (45 CFR 170.205(d)(2)). After 
publication of the Standards and Certification Criteria Final Rule, 
various stakeholders and state public health agencies made numerous 
inquiries and expressed concerns about the appropriateness of these 
implementation specifications. Upon further review of the 
implementation specifications and consultation with the Centers for 
Disease Control and Prevention (CDC), we determined that these 
implementation specifications were adopted in error. Therefore, we 
revised 45 CFR 170.205(d)(2) to remove these particular adopted 
implementation specifications and removed from 45 CFR 170.302(l) the 
text ``(and applicable implementation specifications)'' to provide 
additional clarity.

C. The President's Council of Advisors on Science and Technology 
(PCAST) Report

    On December 8, 2010, the President's Council of Advisors on 
Science and Technology (PCAST) released a report entitled 
``Realizing the Full Potential of Health Information Technology to 
Improve Healthcare for Americans: The Path Forward'' (the PCAST 
Report).\2\ PCAST is an advisory group of the nation's leading 
scientists and engineers who directly advise the President and the 
Executive Office of the President. PCAST makes policy 
recommendations in many areas where the understanding of science, 
technology, and innovation is key to strengthening our economy and 
forming policy that works for the American people. PCAST is 
administered by the Office of Science and Technology Policy (OSTP) 
within the Executive Office of the President. Generally speaking, 
the PCAST Report included both a broad vision and specific 
recommendations to accelerate the nation's progress toward 
electronic health information exchange. Many of the PCAST Report's 
recommendations are related to electronic health information 
exchange activities that ONC could directly affect.
---------------------------------------------------------------------------

    \2\ http://www.whitehouse.gov/administration/eop/ostp/pcast
---------------------------------------------------------------------------

1. Request for Information on PCAST Report Recommendations Affecting 
ONC Activities

    On December 10, 2010, the Office of the National Coordinator for 
Health Information Technology (ONC) issued a Request for Information 
(RFI) to seek public comment on the PCAST Report's vision and 
recommendations and how they may be best addressed (75 FR 76986). 
The RFI sought specific feedback on nine questions which are best 
organized according to the following categories:
     The standards, implementation specifications, 
certification criteria, and certification processes for EHR 
technology and other types of HIT that would be required to 
implement some of the PCAST Report's recommendations;
     The current state of information technology solutions 
needed to support the PCAST Report's vision as well as lessons that 
could be learned from other industry implementations;
     The steps that could be taken to best integrate the 
changes envisioned by the PCAST Report into future stages of 
meaningful use; and
     The impact of the PCAST recommendations on ONC programs 
and ongoing activities.
    In total, ONC received 105 timely comments on the RFI from 
stakeholders throughout the health care industry. These comments 
were consolidated into a summary report to inform the deliberations 
of the PCAST Workgroup formed under the HIT Policy Committee 
(discussed below). The following major themes emerged from public 
comments: timelines; the effects on ONC programs; implementation of 
the PCAST recommendations; privacy and security; and standards.
     Timelines. Several commenters supported the PCAST 
recommendations to increase information exchange capacity before 
meaningful use Stage 2. A significant majority of commenters, 
however, were concerned that attempting to fully implement the PCAST 
recommendations in the midst of meaningful use Stages 2 and 3 along 
with other changing standards such as the International 
Classification of Diseases, 9th Revision (ICD-9) transition to 
International Classification of Diseases, 10th Revision (ICD-10) 
could have potential negative effects. Many commenters suggested 
that the recommendations serve to inform a long term strategy rather 
than direct an immediate deviation from already laid groundwork 
created by meaningful use Stage 1 and other ONC electronic health 
information exchange activities.
     Effects on ONC Programs. A majority of commenters 
encouraged ONC to leverage the success of ongoing programs and avoid 
reinventing the wheel in the midst of the Medicare and Medicaid EHR 
Incentive Programs. Many commenters stated that fully implementing 
the PCAST Report's recommendations would require redesigning many of 
the ongoing federal HIT grants and contracts which could impose 
substantial costs to current participants. Some suggested that ONC 
begin with pilots to develop and test PCAST technology solutions 
before moving into broader implementation efforts.
     Implementation of PCAST Recommendations. Commenters 
generally agreed that health information exchanges (HIEs) and the 
electronic exchange of health information should be the focus of 
future stages of meaningful use. Regarding the exchange of 
individual data elements outside of a document structure, many 
agreed with the value of exchanging individual data elements but 
recommended that such a program begin with pilot testing that takes 
into account patient-linking and public trust issues.
     Privacy and Security. Several commenters supported the 
concept of giving patients granular consent as envisioned in the 
PCAST Report. However, many expressed concern that tagging patient 
privacy preferences to the data would lead to a static, rather than 
a dynamic, data control environment which could prevent patients 
from updating their privacy preferences once the data was released. 
The research community largely supported PCAST's concept of creating 
a subset of de-identified data for the purpose of research.
     Standards. Most commenters believed that ONC should 
learn from and leverage existing standards that incorporate metadata 
concepts. Some commenters asserted that ONC should pursue the 
metadata approach outlined in the PCAST Report because current 
standards do not allow for innovation, flexibility, or scalability 
and that today's predominantly document-centric environment would 
not support PCAST's

[[Page 48772]]

vision. Others contended that the PCAST Report's interoperability 
and electronic exchange goals could be met with existing and 
emerging standards.

2. The PCAST Workgroup

    In January 2011, ONC asked the HIT Policy Committee to provide a 
more detailed assessment of the PCAST Report's ONC-related 
recommendations, how implementing the recommendations could affect 
ONC's programs, and potential approaches ONC could pursue to realize 
the vision described in the PCAST Report. To respond to this 
request, the HIT Policy Committee, in conjunction with the HIT 
Standards Committee, formed an interdisciplinary PCAST Workgroup to 
analyze the RFI comments as well as solicit expert testimony through 
a public hearing held in February 2011.
    In April 2011, the HIT Policy Committee transmitted to ONC an 
analysis report that suggested incremental steps for ONC to pursue 
to achieve the vision described in the PCAST Report. As a feasible 
first step, the HIT Policy Committee suggested that ONC focus on 
facilitating the development and adoption of a minimal set of 
standards for metadata that could be ``wrapped around'' or attached 
to a summary care record when a patient seeks to download their 
health information from, for example, a health care provider's 
patient portal or when a patient directs his or her health care 
provider to transmit his or her health information to a personal 
health record (PHR). Generally speaking, the term ``metadata'' is 
often used to mean ``data about data'' or, in other words, ``data 
that provides more information or detail about a piece of data.''
    The HIT Policy Committee suggested that it would be practical to 
include this capability as part of the EHR certification 
requirements to support meaningful use Stage 2 under the Medicare 
and Medicaid EHR Incentive Programs. Moreover, in the context of 
this first ``use case,'' the HIT Policy Committee noted that a 
minimum set of metadata (and accompanying standards) should focus on 
these three categories: patient identity (data elements about a 
patient), provenance (data elements about the source of the clinical 
data), and privacy (data elements about the type(s) and sensitivity 
of clinical data included). Additionally, the HIT Policy Committee 
noted that if these metadata are available, they could potentially 
increase the level of trust that receiving providers would place in 
clinical information that they receive through patient-mediated 
exchange, such as from a PHR, and could enable patients to more 
easily sort and re-share their own health information.

D. Analysis of Metadata Standards

1. ONC-Commissioned Analysis

    In parallel with the work being done by the PCAST Workgroup, ONC 
commissioned an in-depth analysis of several widely implemented 
standards that include metadata. This analysis examined the various 
data elements each standard includes and identified certain 
categories of metadata that could be readily adopted as metadata 
standards. On April 20, 2011, this analysis was presented to the HIT 
Standards Committee, which included metadata options for patient 
identity, provenance, and privacy.
     Patient Identity Metadata: The analysis generally 
described patient identity metadata as the necessary data required 
to uniquely select a patient from a population with a guaranteed 
degree of accuracy. The research also indicated that patient 
identity metadata should include a patient's current full name, 
previous names with associated date ranges (as an optional element), 
date of birth, postal code, and one type of patient identification 
data (ID) along with the origin of that ID. The following standards 
were reviewed and compared relative to how patient identity metadata 
is represented: Health Level 7 Version 2 (HL7 V2) messages; 
Integrating the Healthcare Enterprise Cross Enterprise Document 
Sharing (IHE XDS) Metadata; Health Level 7 Clinical Document 
Architecture Release 2 (HL7 CDA R2); American Society for Testing 
and Materials (ASTM) Continuity of Care Record (CCR); Google CCR; 
and National Information Exchange Model (NIEM).
     Provenance Metadata: The analysis generally described 
provenance metadata as data that provides information on a dataset's 
history, origin, and modifications. Research suggested that 
provenance metadata should include information that describes the 
event that led to the creation of the tagged data as well as other 
associated events that provide causal links to the data. The 
research also indicated that provenance metadata include information 
about when and how the tagged data had been exchanged in the past. 
It emphasized that digital signatures could be used as metadata as a 
way to ensure that the data had not been altered since its creation. 
The report gave comparisons on the NIEM, IHE XDS Metadata, HL7 CDA 
R2, and Clinical Data Interchange Standards Consortium (CDISC) 
standards related to providing the above information on provenance.
     Privacy Metadata: For privacy metadata, the 
commissioned analysis of metadata standards examined what data could 
be used to convey and communicate patient preferences (permissions 
or limits) associated with the sharing of his or her health 
information. The analysis first concluded that it was not feasible 
to include the privacy policy with each tagged data element because 
policy can change over time, and that a pointer to an external 
registry would be most appropriate. Noting that there was not 
sufficient information to determine how such privacy policy 
registries would be implemented, the research indicated that privacy 
metadata related to the underlying contents (i.e., what kind of 
information is within a document or message) and its sensitivity 
(i.e., by whom, and what the recipient(s) of the data is/may be 
obligated or prevented from doing after accessing the data) would be 
the most useful to include in an initial set of metadata. The 
research compared the ability of Platform for Privacy Preferences 
(P3P), Enterprise Privacy Authorization Language (EPAL), Basic 
Patient Privacy Consents (BPPC), IHE XDS, and Clinical Document 
Architecture Release 2: Patient Consent Directives (CDA R2 PCD) 
metadata standards to convey the above information.

2. HIT Standards Committee Analysis and Recommendations

    In April 2011, after the receipt of the ONC-commissioned 
analysis on metadata standards, the HIT Standards Committee formed a 
``metadata power team'' to further consider this analysis in order 
to identify metadata standards that would be appropriate for 
electronic health information exchange. On May 18, 2011, after a 
series of public meetings, the metadata power team presented to the 
HIT Standards Committee their review of the metadata elements that 
would be best to consider for patient identity and provenance. On 
May 25, 2011, the metadata power team held another meeting which 
focused on the analysis of privacy metadata elements.
    On June 22, 2011, the metadata power team submitted its complete 
analysis and a set of recommendations to the HIT Standards Committee 
on the data elements that should be included as part of metadata 
standards for patient identity, provenance, and privacy. The HIT 
Standards Committee discussed and subsequently approved the metadata 
power team's findings. The HIT Standards Committee submitted its 
recommendations on metadata elements and standards to the National 
Coordinator and expressed its expectation that ONC would conduct 
further testing and evaluation prior to proposing these standards 
for adoption through rulemaking.
    Upon receipt of the HIT Standards Committee's metadata standards 
recommendations, the National Coordinator followed the process 
outlined in the sections 3001(c)(1)(A) and (B) of the PHSA. These 
provisions require the National Coordinator to ``(A) review and 
determine whether to endorse each standard, implementation 
specification, and certification criterion for the electronic 
exchange and use of health information that is recommended by the 
HIT Standards Committee under section 3003 for purposes of adoption 
under section 3004; [and] (B) make such determinations under 
subparagraph (A), and report to the Secretary such determinations, 
not later than 45 days after the date the recommendation is received 
by the Coordinator * * *''
    The National Coordinator endorsed the HIT Standards Committee 
recommendations on metadata standards and reported this 
determination to the Secretary for consideration under section 
3004(a) of the PHSA. Per section 3004(a)(2), if the Secretary 
determines ``to propose adoption of any grouping of such standards, 
implementation specifications, or certification criteria, the 
Secretary shall, by regulation under section 553 of title 5, United 
States Code, determine whether or not to adopt such grouping of 
standards, implementation specifications, or certification 
criteria.'' In accordance with section 3004(a)(3), the Secretary 
must also provide for publication in the Federal Register all 
determinations made by the Secretary under this provision. This 
ANPRM constitutes publication of the Secretary's determination.

[[Page 48773]]

II. Metadata Standards Under Consideration

    Section 3001 of the HITECH Act establishes ONC by statute and 
requires, under section 3001(b), the National Coordinator to 
``perform the duties under [section 3001](c) in a manner consistent 
with the development of a nationwide health information technology 
infrastructure that allows for the electronic use and exchange of 
information * * *'' Since the HITECH Act's enactment in February 
2009, ONC has developed a portfolio of initiatives to foster a 
nationwide health information technology infrastructure. The PCAST 
Report, published in December 2010, built on our progress to date 
and complemented our existing initiatives. It expressed a vision, 
with associated policy goals, that focused on key challenges ONC 
could undertake to accelerate its efforts in several electronic 
health information exchange areas. One such area, a cornerstone of 
the PCAST Report's vision, was to increase the health care 
industry's ability to understand and parse the health care data 
under its stewardship at a more granular level. The PCAST Report 
noted that the development of metadata standards was a critical 
first step to facilitating more granular understanding of data and 
to establishing a ``universal exchange language (UEL).'' The PCAST 
Report described the UEL as, ``some kind of extensible markup 
language (an XML variant, for example) capable of exchanging data 
from an unspecified number of (not necessarily harmonized) semantic 
realms. Such languages are structured as individual data elements, 
together with metadata that provide an annotation for each data 
element.''
    We believe that the use of metadata holds great promise and the 
adoption of metadata standards can help rapidly advance electronic 
health information exchange across a variety of different exchange 
architectures. The purpose of this ANPRM is to seek broad public 
comment on the metadata standards we are considering proposing for 
adoption in the next notice of proposed rulemaking with regard to 
the standards, implementation specifications, and certification 
criteria intended to support meaningful use Stage 2. We are 
considering whether to propose, as a requirement for certification, 
that EHR technology be capable of applying the metadata standards in 
the context of the use case selected by the HIT Policy Committee 
(i.e., when a patient downloads a summary care record from a health 
care provider's EHR technology or requests for it to be transmitted 
to their PHR). For example, if a patient seeks to obtain an 
electronic copy of her health information, her doctor's EHR 
technology would have to be capable of creating a summary care 
record and subsequently assigning metadata to the summary care 
record before the patient receives it. From an EHR technology 
developer's perspective, we believe this approach would be the least 
difficult to implement in support of meaningful use Stage 2. 
However, generally speaking, we believe this capability may also be 
able to be applied to other directed transfers of summary care 
records (e.g., as part of requirements concerning transitions of 
care). Additionally, looking prospectively, once EHR technology is 
capable of applying metadata, we believe that the health care 
industry could gradually develop innovative ways to repurpose this 
general capability to create more specialized extensions to meet 
future specific policy and organizational objectives. For instance, 
the EHR technology's capability to assign metadata to documents or 
more granular data elements could be used within an organization to 
appropriately filter data prior to making a disclosure or to process 
information more efficiently for quality improvement and 
measurement. In addition to the specific metadata standards 
discussed below, we also request public comments on any other 
metadata categories, metadata elements, or metadata syntax that we 
should consider.
    Consistent with the recommendations of the HIT Standards 
Committee, ONC is interested in learning about and requests public 
comment on any real-life testing or use of these or other metadata 
standards relating to patient identity, provenance, or privacy. ONC 
also intends to seek pilot testing of these metadata standards to 
gain insights into any implementation-level challenges that may 
exist.

A. Metadata Standards Discussed and Specific Questions for Public 
Comment

    This section discusses the metadata standards we are considering 
for each of the three categories (patient identity, provenance, and 
privacy) as recommended by the HIT Standards Committee and includes 
specific questions for the public's consideration. Consistent with 
the recommendations of the HIT Standards Committee, we are 
considering proposing that the metadata would need to be expressed 
according to the requirements in the HL7 CDA R2 header (section 4.2 
of HL7 CDA R2). We are also considering whether to propose the 
adoption of additional metadata elements for certain information 
that is not currently required as part of the HL7 CDA R2 header. The 
HIT Standards Committee recommended the use of the HL7 CDA R2 header 
based on its belief that the HL7 CDA R2's XML format for describing 
generic clinical documents would best support the implementation of 
its recommendations. It specifically noted that among its many 
benefits the HL7 CDA R2 could best accommodate the international 
representation of names and could potentially support additional 
information if desired. The HIT Standards Committee first 
recommended the use of the HL7 CDA R2 header for patient identity 
metadata. Subsequently, it acknowledged and determined that even 
though other standards could support the metadata elements under 
consideration in the provenance and privacy categories that the use 
of the HL7 CDA R2 header for these two categories would complement 
its already recommended use for patient identity metadata. Its 
overall rationale for the selection and recommendation of the HL7 
CDA R2 header was that it provides wide coverage across metadata 
elements and working from a single standard would make 
implementation easier.
    At the end of this section, we provide a complete example of how 
the metadata could be expressed. We request public comment on the 
metadata standards discussed below and in response to the specific 
questions listed below.

1. Patient Identity Metadata Standards

    We are considering the following standard set of patient 
identity metadata recommended by HIT Standards Committee. This 
standard set would include the following data elements expressed 
according to the requirements explained below.
     Name: Would include the patient's name prefix (e.g., 
Mr. Ms. Dr.), given names (e.g., first and middle names/middle 
initial), family names, and name suffix. Inclusion of ``other name'' 
components, such as patient's maiden name, previous names, or 
mother's name for newborns would be optional.
     Date of birth: Would include the patient's date of 
birth.
     Address: Would include the patient's current primary 
address.
     Zip code: Would represent the zip code of the patient's 
current primary address. Zip codes for other addresses would be 
optional but, if included, would need to include date ranges for 
when the zip codes were applicable.
     Patient identifier(s): would include one or more of the 
identifiers used by a health care provider to uniquely identify the 
patient to which the underlying metadata pertain. For example, the 
last four digits of the social security number; the patient's 
driver's license number; the patient identification number assigned 
to the patient by a health care provider; or any combination of the 
above.
    For each of the above elements, consistent with the HIT 
Standards Committee's recommendation, we would consider requiring 
that they be expressed according to HL7 CDA R2 header syntax. We 
would not expect, however, to require the implementation of the 
surrounding structure that a complete, valid HL7 CDA R2 header would 
include. Rather, our intent would be to leverage the way in which 
the HL7 CDA R2 header expresses how each data element would be 
represented and not to require that the HL7 CDA R2 header's 
structure also be implemented.
    Question 1: Are there additional metadata elements within the 
patient identity category that we should consider including? If so, 
why and what purpose would the additional element(s) serve? Should 
any of the elements listed above be removed? If so, why?
    Question 2: In cases where individuals lack address information, 
would it be appropriate to require that the current health care 
institution's address be used?
    In addition to the patient identity metadata that we would 
expect to be expressed using the HL7 CDA R2 header, we are 
considering requiring an additional metadata element to be included 
for ``display name.'' In this case, and as discussed by the HIT 
Standards Committee, we currently believe that extending name 
metadata beyond the HL7 CDA R2 header requirements\3\ to include a 
display name is important to accommodate names that do not always 
follow a ``first

[[Page 48774]]

name, middle name, last name'' format or to identify newborns whose 
names have not yet been assigned. We would expect to require that 
the display name metadata element be an XML element whose value is a 
string that captures the patient's name as it should be displayed or 
written. Without this addition, we believe that many systems may 
accidentally parse parts of a patient's name incorrectly due to the 
fact that in some cultures names are not structured according to 
first, middle, and last name segments. For example, the naming 
conventions in some cultures do not follow this structure and can 
result in the last name being incorrectly parsed or transposed. 
Therefore, for this metadata element, we are considering whether to 
propose that a full name string element be included to facilitate 
matching in cases where name components are incorrectly categorized.
---------------------------------------------------------------------------

    \3\ The HL7 CDA R2 schema's definition of name only supports the 
following components: Delimiter, family, given, prefix and suffix.
---------------------------------------------------------------------------

    Question 3: How difficult would it be today to include a 
``display name'' metadata element? Should a different approach be 
considered to accommodate the differences among cultural naming 
conventions?
    We are also considering whether to propose as a second 
extension, beyond the HL7 CDA R2, the use of a uniform resource 
identifier (URI) to act as a namespace for the patient identifier 
metadata as opposed to the use of an object identifier (OID) as 
specified in HL7 CDA R2. Currently, the definition of the ``id 
root'' attribute in the HL7 CDA R2 header is defined to only accept 
OIDs, universally unique identifiers (UUIDs), or specific HL7 
reserved identifiers, none of which can hold a URI. A URI could be 
used as a means to identify the associated ID type that would be 
used. For instance, http://www.nh.gov/safety/divisions/dmv gov/safety/divisions/dmv''/> indicates that the ID type is a New 
Hampshire driver's license. This extension would allow for an 
extensible, flexible mechanism to uniquely identify an individual, 
without having to explicitly specify what type of identifier is 
used. In the event multiple types of identifiers are used, a means 
to properly attribute the right information to each identifier would 
be necessary. We believe a URI can effectively serve this purpose.

2. Provenance Metadata Standards

    We are considering the following standard set of provenance 
metadata recommended by the HIT Standards Committee. The standard 
set would include the following data elements expressed according to 
the requirements explained below--a tagged data element (TDE) 
identifier; a time stamp; and the actor, the actor's affiliation, 
and the actor's digital certificate. These provenance metadata 
function as part of a ``wrapper'' that would convey the ``who, what, 
where, and when'' of the data being electronically exchanged. As 
with patient identity metadata, we would expect these provenance 
metadata elements to be expressed according to HL7 CDA R2 header 
syntax requirements, where applicable.
     TDE identifier: Would allow for other TDEs to link to 
this particular instance, thus preserving clinical context, and 
allow users to keep a log of the set of TDEs used for a particular 
task. For example, a TDE containing diagnostic study information 
could contain the identifier of another TDE that describes the 
encounter that led to that study.
     Time stamp: Would express when the content to which the 
metadata pertains was digitally signed.
     Actor and actor's affiliation: Would, in the form of a 
digital certificate, include the name of the actor who digitally 
signed the content to which the metadata pertains and the 
organizational affiliation of the actor. The HIT Standards Committee 
noted that this scheme allows for exchanges to occur involving 
either organizational actors or individual actors.
    The HIT Standards Committee also recommended that the X.509 
standard for certificates be used to digitally sign the content to 
which the metadata pertains. It noted that that digital certificates 
and digital signatures could be used to provide non-repudiation and 
tamper-resistance. The HIT Standards Committee further acknowledged 
that while its expectation was that an actor and its affiliation 
would be expressed in an X.509 certificate that there should be 
optional metadata fields for actor and actor affiliation for reasons 
including situations where EHR technology can understand the XML 
format of the HL7 CDA R2 header syntax, but cannot process more 
complex cryptographic signatures. As a final recommendation on 
provenance, the HIT Standards Committee recommended an optional 
portion of the actor/affiliation metadata should point to the entity 
record in the Enterprise-Level Provider Directory, which may be a 
URL (this concept is included in the metadata example illustrated 
below).
    Question 4: Are there additional metadata elements within the 
provenance category that we should consider including? If so, why 
and what purpose would the additional element(s) serve? Should any 
of the elements listed above be removed? If so, why?
    Generally, as recommended by the HIT Standards Committee, the 
metadata elements for time stamp, the actor, the actor's 
affiliation, and the actor's digital certificate all rely on one 
security architecture, the use of digital certificates. We are 
considering whether for the purposes of adopting metadata standards 
it would be beneficial to decouple the metadata elements from a 
particular security architecture. In short, we are contemplating 
whether it would be more effective and appropriate to adopt 
provenance metadata elements that do not rely on a single security 
architecture, but rather can be used in various security 
architectures.
    Question 5: With respect to the provenance metadata elements for 
time stamp, actor, and actor's affiliation, would it be more 
appropriate to require that those elements be expressed in XML 
syntax instead of relying on their inclusion in a digital 
certificate? For example, time stamp could express when the document 
to which the metadata pertain was created as opposed to when the 
content was digitally signed. Because this approach would decouple 
the provenance metadata from a specific security architecture, would 
its advantages outweigh those of digital certificates?

3. Privacy Metadata Standards

    At the outset, we note that the HIT Standards Committee made its 
recommendations on privacy metadata standards with the underlying 
assumption that any personally identifiable information would be 
exchanged in an appropriately secure manner (i.e., encrypted). In 
its assumed model, the HIT Standards Committee basically envisioned 
clinical content which is ``double wrapped''--first according to the 
metadata standards we are considering and then encrypted prior to 
the entire package of data being transported--meaning only the 
recipient of the entire package would be able to view the metadata 
once it has been decrypted. In other words, and from ONC's 
perspective, if circumstances would require the content to which the 
metadata pertain to be encrypted, the metadata would also be 
encrypted.
    As recommended by the HIT Standards Committee, we are 
considering the following standard set of privacy metadata which 
would include the following data elements expressed according to the 
requirements explained below--a ``policy pointer'' and content 
metadata elements.
     Policy pointer: would be a Uniform Resource Locator 
(URL) that points to the privacy policy in effect at the time the 
tagged data element is released. This metadata element would support 
the potential for external privacy policy registries to be used.
     Content metadata: would be used to represent those 
elements needed to implement and reflect organizational policies as 
well as those federal and state laws that would be applicable to the 
underlying data to which this metadata would pertain. Content 
metadata would be comprised of two components:
    [cir] Data type: would describe the underlying data to which 
this metadata pertains from a clinical perspective. For this 
metadata element, we are considering whether to propose that Logical 
Observation Identifiers Names and Codes (LOINC) codes be used to 
provide additional granularity.
    [cir] Sensitivity: HL7 vocabulary for sensitivity would be used 
to indicate at a more granular level the type of underlying data to 
which this metadata pertains in order for the potential for 
automated privacy filters to apply more stringent protections to the 
data in the event it is selected for a future disclosure.
    Again, we would expect that these privacy metadata would be 
expressed according to the HL7 CDA R2 header syntax requirements.
    Question 6: Are there additional metadata elements within the 
privacy category that we should consider including? If so, why and 
what purpose would the additional element(s) serve? Should any of 
the elements listed above be removed? If so, why?
    Question 7: What experience, if any, do stakeholders have 
regarding policy pointers? If implemented, in what form and for what 
purpose have policy pointers been used (for instance, to point to 
state, regional, or organizational policies, or to capture in a 
central location a patient's preferences regarding the sharing of 
their health information)? Could helpful concepts be drawn from the 
Health Information

[[Page 48775]]

Technology Standards Panel (HITSP) Transaction Package 30 (TP30) 
``Manage Consent Directives?''
    Question 8: Is a policy pointer metadata element a concept that 
is mature enough to include as part of the metadata standards we are 
considering? More specifically, we request comment on issues related 
to the persistence of URLs that would point to privacy policies 
(i.e., what if the URL changes over time) and the implication of 
changes in privacy policies over time (i.e., how would new policy 
available at the URL apply to data that was transmitted at an 
earlier date under an older policy that was available at the same 
URL)?
    Question 9: Assuming that a policy pointer metadata element 
pointed to one or more privacy policies, what standards would need 
to be in place for these policies to be computable?
    Question 10: With respect to the privacy category and content 
metadata related to ``data type,'' the HIT Standards Committee 
recommended the use of LOINC codes to provide additional 
granularity. Would another code or value set be more appropriate? If 
so, why?
    Question 11: The HIT Standards Committee recommended developing 
and using coded values for sensitivity to indicate that the tagged 
data may require special handling per established policy. It 
suggested that a possible starter set could be based on expanded 
version of the HL7 ConfidentialityByInfoType value set and include: 
``substance abuse; mental health; reproductive health; sexually 
transmitted disease; HIV/AIDS; genetic information; violence; and 
other.'' During this discussion, several members of the HIT 
Standards Committee raised concerns that a recipient of a summary 
care record tagged according to these sensitivity values could make 
direct inferences about the data to which the metadata pertain. 
Consistent with this concern, HL7 indicates in its documentation 
that for health information in transit, implementers should avoid 
using the ConfidentialityByInfoType value set. HL7 also indicates 
that utilizing another value set, the ConfidentialityByAccessKind 
value set which describes privacy policies at a higher level, 
requires careful consideration prior to use due to the fact that 
some items in the code set were not appropriate to use with actual 
patient data. In addition, the HIT Standards Committee recommended 
against adopting an approach that would tag privacy policies 
directly to the data elements. What kind of starter value set would 
be most useful for a sensitivity metadata element to indicate? How 
should those values be referenced? Should the value set be small and 
general, or larger and specific, or some other combination? Does a 
widely used/commonly agreed to value set already exist for 
sensitivity that we should considering using?
    Question 12: In its recommendations on privacy metadata, the HIT 
Standards Committee concluded that it was not viable to include the 
policy applicable to each TDE because policy changes over time. Is 
this the appropriate approach? Are there circumstances in which it 
would be appropriate to include privacy preferences or policy with 
each data tagged element? If so, under what circumstances? What is 
the appropriate way to indicate that exchanged information may not 
be re-disclosed without obtaining additional patient permission? Are 
there existing standards to communicate this limitation?

B. Metadata Example

    The following is a complete example of how the standard sets of 
metadata elements for the three categories discussed above could be 
expressed.

--------------------------------------------------------------------------------------------------------------------------------------------------------
             Metadata element                     Expressed according to HL7 CDA R2 requirements (where applicable)                     Notes
--------------------------------------------------------------------------------------------------------------------------------------------------------
Provenance--TDE ID.......................  
Privacy--Content Data Type...............  
Provenance--Timestamp....................                                          ............................
Privacy--Content Sensitivity.............                                              ............................
Patient ID--ID...........................        Note that in a CDA R2
                                                                                                                             Header, the root attribute
                                                                                                                             would typically be an OID
Patient ID--Address......................   1234 Main St. Apt 3     ............................
                                           Bedford
                                           MA/state>
                                           01730
                                                                                                                     ............................
Patient ID--Name.........................                                                                             Note that displayName is not
                                                                                                                             part of the HL7 CDA R2
                                                                                                                             header.
                                           Dr.                                            ............................
                                            John                                                             ............................
                                           William                                                           ............................
                                           Smith                                                           ............................
                                           Dr. John William Smith                                ............................
                                                                                                                     ............................
Patient ID--DOB..........................                                                    ............................
Provenance--Actor........................                                   Entry is not part of the
                                                                                                                             HL7 CDA R2 header.
                                                                                                                      ............................
                                           Smith                                                           ............................
                                           John                                                              ............................
                                           Dr.                                                             ............................
                                                                                                                     ............................
                                           
Privacy--Policy Pointer..................  
Provenance--Affiliation..................   
                                           St. Elsewhere Hospital                                              ............................
                                                                                           ............................

[[Page 48776]]

 
                                                                                                  ............................
--------------------------------------------------------------------------------------------------------------------------------------------------------

III. Additional Questions

    To better inform future proposals, we seek public comment on the 
following specific questions. Commenters are also welcome to provide 
feedback on any of the considerations and expectations we expressed 
above even where a specific question is not asked.
    Question 13: With respect to the first use case identified by 
the HIT Policy Committee for when metadata should be assigned (i.e., 
a patient obtaining their summary care record from a health care 
provider), how difficult would it be for EHR technology developers 
to include this capability in EHR technology according to the 
standards discussed above in order to support meaningful use Stage 
2?
    Question 14: Assuming we were to require that EHR technology be 
capable of meeting the first use case identified by the HIT Policy 
Committee, how much more difficult would it be to design EHR 
technology to assign metadata in other electronic exchange scenarios 
in order to support meaningful use Stage 2? Please identify any 
difficulties and the specific electronic exchange scenario(s).
    Question 15: Building on Question 14, and looking more long 
term, how would the extension of metadata standards to other forms 
of electronic health information exchange affect ongoing messaging 
and transactions? Are there other potential uses cases (e.g., 
exchanging information for treatment by a health care provider, for 
research, or public health) for metadata that we should be 
considering? Would the set of metadata currently under consideration 
support these different use cases or would we need to consider other 
metadata elements?
    Question 16: Are there other metadata categories besides the 
three (patient identity, provenance, and privacy) we considered 
above that should be included? If so, please identify the metadata 
elements that would be within the category or categories, your 
rationale for including them, and the syntax that should be used to 
represent the metadata element(s).
    Question 17: In addition to the metadata standards and data 
elements we are considering, what other implementation factors or 
contexts should be considered as we think about implementation 
specifications for these metadata standards?
    Question 18: Besides the HL7 CDA R2 header, are there other 
standards that we should consider that can provide an equivalent 
level of syntax and specificity? If so, do these alternative 
standards offer any benefits with regard to intellectual property 
and licensing issues?
    Question 19: The HL7 CDA R2 header contains additional 
``structural'' XML elements that help organize the header and enable 
it to be processed by a computer. Presently, we are considering 
leveraging the HL7 CDA R2 header insofar as the syntax requirement 
it expresses relate to a metadata element we are considering. Should 
we consider including as a proposed requirement the additional 
structures to create a valid HL7 CDA R2 header?
    Question 20: Executive Order (EO) 13563 entitled ``Improving 
Regulation and Regulatory Review'' directs agencies ``to the extent 
feasible, [to] specify performance objectives, rather than 
specifying the behavior or manner of compliance that regulated 
entities must adopt;'' (EO 13563, Section 1(b)(4)). Besides the 
current standards we are considering, are there performance-oriented 
standards related to metadata that we should consider?

    Dated: August 4, 2011.
Kathleen Sebelius,
Secretary.

[FR Doc. 2011-20219 Filed 8-8-11; 8:45 am]
BILLING CODE 4150-45-P