Notes from Best Practices Workgroup
Date: September 16, 2010
Time: 1:00 - 2:00pm EST
Attendees:
Nageshwara (Dragon) Bashyam, Peter Clark, Richard Elmore, John Feikema, Michael Firriolo, Jack Kemery, David Kibbe, David McCallie, Kevin McLeod, John Moehrke, Patrick Pyette, Susan Torzewski, Laurie Tull, John Williams, Arien Malec, Uvinie Hettiaratchy, Caitlin Ryan

Actions

Actions for this Week
#
Date
Action
Status
Owner
Due Date
1
2010-09-16
Update Best Practices WG charter to reflect the meeting’s topics of conversation, especially making it easy to implement in the real world.
Open
Arien Malec
2010-09-23
2
2010-09-16
Will ask Implementation Geographies to come up with list of policy considerations that they believe would be helpful to get best practice guidance on.
Open
Arien Malec
2010-09-23

Agenda
  • 1. Introduction and goals of the group
  • 2. Round on integration with HIT Policy Committee, Privacy & Security Tiger Team, etc.
  • 3. Round on charter
  • 4. (If time) Review of policy considerations document, feedback from implementation geographies, etc.


Notes
Arien Malec


· Explained that the WG has been renamed from Policy WG to Best Practices WG because they will not be setting policy, but instead are setting best practices related to policy.
· Sees the work of this WG as best practices guidance fitting between the Policy guidance that the HIT Policy Committee and Privacy and Security Tiger Team are providing guidance on, and the decisions and policies created by local implementations.
o For example, HITPC has approved the recommendations of the Tiger Team regarding triggers for consent.
      • Right now they are a pending set of policy recommendations from the Policy Committee to advise the ONC.
      • The recommendations do not define how consent should be obtained or what the operational implications are for deciding whether a particular exchange it fits into the “directed messaging” parameters established by the Tiger Team, and what the best practices are for obtaining that consent.
· Right now the WG has a rather vague charter, so WG needs to prioritize key areas for best practices guidance.
· There are two parallel efforts occurring, all defining Policy:
o First effort includes the work done by the Tiger Team: they’ve completed a first round of drafting guidance and are getting ready for a second round.
o Second effort comes out of the Governance Workgroup: they are looking at governance policies and procedures.
· This WG should not jump the gun or provide contradicting guidance to what these bodies are producing.
o Need to coordinate with the Tiger Team.
o There is a lot of overlap between membership of the Best Practices WG and the Tiger Team to be able to work through any issues.

Round the Room: Clarifications/Additions to Charter and Opinions on WG Priorities
Name
Comment
Rich Elmore
· No comment.
Susan Torzewski
· No comment.
Kevin McLeod
· No comment.
Laurie Tull
· Introduced authentication as a key topic.
Peter Clark
· No comment.
David McCallie
· Wants to see the WG remain focused on making implementing NHIN Direct as simple as possible for people who want to.
· NHIN Direct members get teased because they are essentially creating a better fax, but fax is a process that is underway in most or even all physician offices.
· Want to making people directly interchanging messages as unintimidating as possible, keep very simple.
Arien Malec
· Wants to make it a goal to make it as easy as possible for an HIO or HISP to understand that if they’ve checked all the boxes, they have a reasonably decent shot of being in the right policy area.
David McCallie
· Might be possible to define some standard use cases where we postulate that a set of assumptions makes sense to us on a consensus basis, so we give them a template to use, stipulating that they can use at their own risk.
David Kibbe
· Wants to reinforce the message about simplicity.
· Wants to stay focused on small- and medium-sized medical practices who want to connect to meet MU criteria.
· There is enormous interest in MU among the physician population in this country.
· The providers are mostly small, most in smaller communities where there are a lot of other small practices and the need for Direct will be very large.
· Has noticed that the project needs to go back to those principles they started out with: MU, simplicity.
· As time goes by the project has seemed to gravitate toward the enterprise view of the world, which he agrees is also very important, but they already have a lot of resources.
· Need to stay aimed at providers and their patients where the resources are minimal, and give them simple solutions.
Arien Malec
· Agreed.
· Pointed out that if recommendations are hard to implement without significant resources, WG will need to rethink them.
John Williams
· Should focus on providers and how they relate to MU and consent of patients.
Michael Firriolo
· No additional comment.
Dragon Bashyam
· No additional comment.
Patrick Pyette
· No additional comment.
Jack Kemery
· No additional comment.
John Feikema
· Should stay focused on near-term use cases.
Tim Cromwell
· With respect to patient authorization, the VA has an opt-in model, which will require authorization from veterans to share info .
· Thought that model would also cover any authorization of consent that would be involved with the NHIN.
Arien Malec
· Sees an additional need for guidance on if you’ve already obtained consent, how far does that consent go?

Arien Malec
· Heard charter come out in the following two areas:
o Focusing on use cases and MU criteria.
o Focusing work on making this process as operationally simple as possible and consistent with policy recommendations for small practices who are running exchange services.
Jack Kemery
· Thinks these areas are priorities rather than a change to or constraint on the charter.
Arien Malec
· Heard two early areas of interest for first priorities:
1) Provider identity assurance.
2) Applicability of “directed messaging” as established by the Tiger Team.
Round the Room: First WG Priorities
Name
Comment
Rich Elmore
· WG should facilitate the work of the Implementation Geographies WG.
Arien Malec
· Supported idea of letting Implementation Geographies set the direction of the Best Practices WG priorities.
Susan Torzewski
· Keep it simple.
· Determine consent levels, between opt-in and opt-out.
Kevin McLeod
· No comment.
Laurie Tull
· No comment
Peter Clark
· Agreed to keep it simple.
David McCallie
· Liked Rich’s suggestion to let Implementation Geographies WG feed with burning issues.
· Suggested that Arien’s calling out of authentication is one of those issues.
· Would broaden to the simple question of “who should I allow these exchanges to occur with and how to I determine this?”
· Then when developing a trust model based on signing certificate authorities, there is a question of how do I set those up and who do I trust? How do I know I trust them?
Arien Malec
· Modifying identity assurance, adding in relevant aspects of certificate authorities and trust models.
David McCallie
· Will come down to which rubric to trust in assigning a certificate.
Rich Elmore
· Through Communications WG work has heard the question “what is NHIN Direct?” in terms of certificating a health internet address,
David McCallie
· For instance, they will have to make decisions about accepting self-signed certificates? Or Only federally blessed certificates?
David Kibbe
· One problem with keeping everything very simple is that people start raising questions, doubting it can work.
· Need to nail down the providers identity assurance authorization.
· Thinks WG needs to be very clear that this is occurring under the rubric of HIPA and covered entities, unless that somehow that changes.
· Tiger Team did a great job in identifying the additional problems that may arise when a person’s information is going into an organization so that a lot of people who are not “my doctor” are seeing my health information.
· Need to keep it clear that for Direct, we are talking about covered entities communicating with other covered entities, which is a principle of HIPA.
· Unless that isn’t right and there is some exception to that, it should be clear we are dealing with only covered entities.
· He’s heard people say they will need the consent of the patient in order to use NHIN Direct.
Arien Malec
· Would only cross that boundary where we need the consent of the patient if it is not just a directed exchange.
· If as a side effect, you’re also retaining copies of the record for legitimate aims (quality reporting, etc.), you may end up crossing that line.
· Guidance in this situation could be “don’t have side effects XYZ” or “if you have side effects XYZ, then you are falling here on the spectrum and not there.”
David Kibbe
· Agreed.
· Thinks that is the way to do it, Rather than adding on another layer of consent management.
Susan Torzewski
· Thought that NHIN Direct only described direct message delivery, and other activities fell under NHIN Exchange and NHIN Exchange policies.
Arien Malec
· Agreed that is correct, but knows there are organizations that do tightly couple the NHIN Direct and NHIN Exchange models.
· Would be useful best practice guidance to show how to not do that.

David McCallie
· Had a fair amount of discussion during the Tiger Team meeting that technically there are provider organizations that do not use an automated billing transaction, so are not covered entities, but those entities should be held to the same standard as the covered entities, with a standard of meaningful consent and direct exchange versus indirect exchange.
John Williams
· No comment.
Michael Firriolo
· No comment.
Dragon Bashyam
· Agrees.
Pat Pyette
· Liked the direction of discussion.
· Supported focusing on implementation geographies.
· On consent: if NHIN Direct is effectively a better fax, then from a consent perspective, providers should be doing nothing more than what they were doing if they still had fax.
· Questioning if it is appropriate for this group to tackle this question.
Arien Malec
· Policy Committee has established a set of policies related to directed exchange following certain characteristics.
· As a best pracitce, would recommend make it clear when you are doing directed exchange and when you have side effects, such as retention of records.
Pat Pyette
· Was not completely grasping all the subtleties.
· Provider could use Direct to provide to HIE or to a public health system.
Arien Malec
· Believes it would be useful to tease apart NHIN Direct standard from directed messaging.
· Can use direct standards for things that are not directed exchange, but users need to be clear about when they are doing this.
Pat Pyette
· Wants to scope the consent conversation around that distinction.
David McCallie
· Tiger Team’s point was to simplify the consent process.
· Expressly tried to make it simple by carving out this space for directed exchange.
· Goal was to keep as undisruptive as possible.
Arien Malec
· There was also a carve out for organized healthcare associations, OCAs defined in regulation.
· Intended to encompass essentially a broader subset of what an ACO might be.
· Tiger Team included OCAs under a set of data retention that would not trigger consent.
· Should consider the notion of “side effect free” and how it relates to best practices for NHIN Direct.
Jack Kemery
· Important to relate to consumers.
John Feikema
· No comment.
Tim Cromwell
· No comment.
John Moehrke
· Agreed with earlier statement about focusing on small practices.
· Larger organizations have resources and can figure this out for themselves.
· Smaller practices who might not be familiar with the technical aspects need an introduction.
· Should develop best practices for every perspective we have participating, but focusing on small practices.
Arien Malec
· For remainder of meeting:
o could get into a particular topic, such as the policy considerations document,
o or he could throw out a question he thinks needs best practice guidance,
o or WG could quit early and come more focused next week.
· Key takeaways:
o -->Will update the charter to reflect the meeting’s topics of conversation.
-->Making it easy to implement in the real world.
o -->Will ask Implementation Geographies to come up with list of policy considerations that they believe would be helpful to get best practice guidance on.
· Topic for remainder of meeting: requirements for identity assurance and the central question of trust.
o Should WG establish best practices for how somebody should maintain trust anchors?
o The core of NHIN Direct is addressing and trust enforced through a selection of trust anchors.
o Essentially the circles you choose to participate in are your biggest mechanism for controlling who can send you messages and who you can send messages to.
o The determining factor is not “which providers do I think are good providers?” but instead related to the soliciting conditions for meeting my expectations for sending a message.
o Primarily, when I send a message to you, I have reasonable assurance that you are who you say you are, you have reasonable assurance that I am who I say I am, and we both believe the connection to be secure.
o Key decision when implementing direct messaging is which certificates, trust anchors, do I establish in my trust store, and what are my criteria for doing that?
· So the question is: is this topic of identity assurance and trust anchors a topic for the Best Practices WG?
o I.e., when you adopt a trust anchor, what would you expect them to have accomplished?
-->“Before you accept this trust anchor, you should assure ABC.”
Round the Room: Is this topic of identity assurance and trust anchors a topic for the Best Practices WG?
Name
Comment
Rich Elmore
· Yes, should be a topic as well as how to actually go about approving a trust anchor.
· So there is the criteria then also the process.
Susan Torzewski
· Good topic.
Kevin McLeod
· Good topic.
Laurie Tull
· Good.
Peter Clark
· Agrees, good topic.
David McCallie
· Good topic, thinks there are two aspects:
· (1) Do you trust that entity?
· (2) Do you trust the certificate authority that validated the entity?
David Kibbe
· Good topic.
John Williams
· Good topic.
Michael Firriolo
· Good topic.
Dragon Bashyam
· Good topic.
Pat Pyette
· Good topic, but does that mean we need conformance criteria?
· No question that we need to explore the topic.
Jack Kemery
· Good topic.
· Different points of view, nuances during this round point to the need for this to be a topic.
John Feikema
· Likes topic.
· One way to address simplicity: acknowledge there are certain steps that can take place in automated or manual process.
Tim Cromwell
· Need to look at this topic right away.
· Thousands added to their trust bank, need some sort of high-level of formality to declare if they are trusted.
John Moehrke
· Thinks that going at this from the perspective of the small provider will add the most value.
· Agrees that the VA has difficult decisions to make, but they also have vast resources, and have been issuing certificates for years.
· It is the small provider that really needs the help. This problem looks very different from a small provider perspective, more like what David McCallie was talking about, “do you trust how you got the certificate?”
· Used analogy of receiving a business card from an associate: you do not trust the printer of the card or the secretary who designed the layout of the card, you trust the card because it was handed directly to you.
· Can demystify NHIN Direct through analogies.

Arien Malec
· Added that the VA or any large healthcare institutions provide care alongside small providers for consistent care, so don’t want to leave them out of the picture.
· Can leverage resources they already have.
· Will get charter up and in place, get key policy questions from both WGs, and come in next week with a more focused agenda.