Notes from Best Practices WG
: October 7, 2010
Time: 1:00 – 2:00pm EST
Attendees: Nageshwara (Dragon) Bashyam, Greg Chittim, Peter Clark, Rich Elmore, John Feikema, Michael Firriolo, David McCallie, Kevin McLeod, Mark Stine, Susan Torzewski


Actions for This Week
Due Date
Wants additional edit about clarifying the level of trust in the Certificate Pilot Recommendations Discussion.
Arien Malec
Post organization’s consensus votes to the wiki by Tuesday, 10/12/10.
Go to Discussion tab of Certificate Pilot Recommendations Discussion.
Best Practices WG members
Can mark Question 8 in Open Questions Tracker for Pilots as transferred and addressed.
Arien Malec
Form a task force to draft recommendations
Arien Malec

Actions from Last Week
Due Date
Send high priority best practices items to David McCallie, Arien Malec.
Best Practices WG members
Read and comment on “Certificate Pilot Recommendations Discussion.”

Best Practices WG members
Start developing language around minimum policy requirements.
Arien Malec and others with HIO experience
Incorporate proposed edits in next draft:
-Create a preamble about trust, what is implied and what is not implied, referencing Security and Trust Overview document.
- Develop additional best practices around what an organization is.
- Clarify middle paragraph of Question #3, about minimal policy requirements for a community.
-Add clarification about no automatic renewal of certificates.
-Reflect the need to discourage competition across HISPs in terms of identity and integrity.
David McCallie, Sean Nolan (absent)

David McCallie
  • Updated group on recent Tiger Team developments.
  • John Lumpkin, Chair of Governance Workgroup recommending the HIT Policy Committee on NHIN Governance, came to the Tiger Team meeting yesterday to give a summary on what the Governance WG is thinking about.
  • Gave a snapshot on how they are planning on approaching the governance.
  • Issue of note, he made no mention of NHIN Direct or “directed communication,” which already receives special exemption in previous Tiger Team recommendations to the HIT Policy Committee in terms of consent.
  • That recommendation was already accepted and passed up to the regulators.
  • The Tiger Team asked Mr. Lumpkin if they had given thought to directed exchange falling under their governance purview.
  • He responded that the Governance Workgroup hadn’t thought about directed exchange very much, but that they did want it to fall under their purview.
  • Boiled down, it comes back to the notion of a brand; if an entity participates in healthcare exchange under the brand, whether directed exchange or more traditional HIE registry exchange, it will fall under the governance of this new Governance group.
  • The final recommendations from the Governance Workgroup are not due to the HIT Policy Committee for another month, so they now have to deliberate.

Arien Malec
  • Has had internal discussions within ONC where he has expressed the view that the Nationwide Health Information Network should be broad and expansive, and should have a home for directed messaging.
  • The discussions he is having in the ONC don’t always link over to advisory committees.

David McCallie
  • At least three to four ONC workgroups cover overlapping material.
  • Some are working on patient identity matching and provider identity verification.
  • Raised a separate point that came from a conversation with Sean Nolan about how do we authenticate or credential the pilots?
    • The point is now reflected in the certificate management document that we should work really hard to not deviate from the commonly accepted certification practices that physicians use already to gain access to various systems.
    • Consistent with the notion that there should be a common governance model.
    • It would be an undesirable outcome for providers to have to go out and get several different certificates to be able to exchange.

Arien Malec
  • Has had a series of discussions on David’s above points above with members of the Tiger Team and the task force part of the information exchange group on directories.
  • He gave the Tiger Team and ONC internal policy contacts the WG’s drafted best practice recommendations around certificate authorities and identity assurance.
  • Sees at least two areas overlapping between Best Practices WG and Tiger Team.
    • NIST level of assurance
    • Identity assurance at the organization versus individual level
  • Circulated internally and with Paul Egerman and Deven McGraw, co-chairs of the Tiger Team.
  • The work of the Best Practices WG is a little ahead of the Tiger Team’s work.
  • Tiger Team may end of up having the Policy Committee recommendations to the secretary or to Dr. Blumenthal that may conflict to a small degree with the recommendations formed by the Best Practices WG, but feels both groups are headed in the same direction, more or less.
  • One area of potential confusion is the NIST level of verification
    • Should they pick 1 level of ID assurance for everyone?
    • Should they offer 2 to choose from?
    • If so, which level(s)?
  • He is pushing for two options,
    • If you are doing controlled substance prescribing, need to be at level 3.
    • Or if you are doing ordinary fax machine stuff, go with level 2.
  • Problem presents itself when it comes to switching from 2 to 3.
    • The difference doesn’t really impact the provider.
    • But for establishing NIST Level 2 it is acceptable to just look up an ID in a directory
    • For NIST Level 3, you would do the same thing, but then you need to record the phone call as proof that you’ve done that activity.
    • May mean that you have an existing hospital credentialing process that satisfies NIST Level 2 but not NIST level 3.
  • Directories work has been interesting

  • Proposed going over revisions to the best practices recommendations on certificate management and identity.
  • First order of business should be to review the changes, and do a round on the document as it stands.
  • Asked for any additional agenda items.
  • Asked if anyone else on the call participated in the edits to the best practice guidance.

Certificate Pilot Recommendations Discussion
  • Main changes made:
  • Clarified the difference between community, organization, and implementation.
  • Tried to make it clear which levels of policy and trust they’d be talking about, primarily with regards to identity.
  • Clarified minimum identity and authorization requirements for a community.
  • Specified NIST Level 2 as a best practice for activities in this area, making it clear that if you don’t have those methods, there is a decent best practice congruent with NIST Level 2 to verify the place of practice and verify licensure.
  • Last edit: can reuse existing e-mail, but it is highly suggested not to.
    • Should minimize human error.

ROUND THE ROOM on edits to the Certificate Management Recommendations
Rich Elmore
  • Wondered about VA participation.
  • Asked how Arien Malec sees VA participation developing throughout implementation.
  • Right now it is a pilot and in a later phase for more general use, and how does he see that transitioning?

Arien Malec
  • For the initial pilot, they are talking about reusing the VA’s existing Exchange connectivity, a HISP that multi-homes in Direct policy and Exchange policy.
  • Clearly at some point they will need to look at their policies and make some decisions about how they want to accept messages from Direct participants that are not part of initial Exchange.
  • Expects that the Governance WG is currently reviewing this, and will establish a governance mechanism going forward.
  • Thinks the governance mechanism expects a home for directed messaging that has a set of well informed policy.
  • Hopes lessons learned through Direct will inform the sets of policies created at a national level.

Rich Elmore
  • Asked if the VA would be able to participate in pilots.

Arien Malec
  • Yes, through their Exchange connection.
  • Also through special purpose policy.

John Feikema
  • When looking at Question #1 for organizations, noticed that the criteria for deciding participation on a given community did not include guidance on a base level of certificates.
  • Thinks there needs to be a HIPAA or HITECH assertion that they want to play by the rules and to state the rules or “behavior policies” they will play by.

Arien Malec
  • Historically we’ve made the decision to separate trust decisions about operational standards from trust decisions about who am I exchanging with.
  • Understanding that at the end of the day, it is the message sender’s responsibility to verify that they are sending to a known user.
  • Message receiver’s responsibility is to adhere to federal and state law and local policy and regulation.

Rich Elmore
  • First sentence of Question #3 also applies, “baseline policy might be simply that the participating organization has been physically verified to be a legitimate organization that sends or receives protected health information, and has confirmed their commitment to complying with HIPAA and/or other applicable regulations.”

Arien Malec
  • Wants additional edit about clarifying the level of trust.
  • Given the informal level of consensus, proposed taking the recommendations to WG consensus.
  • Asked for consensus votes on the wiki by Tuesday, 10/12/10.

Open Questions Tracker for Pilots
  • Proposed to review Open Questions Tracker for pilots.
  • Identifying questions that have not yet been resolved.
  • Question 4: Is there a specific domain naming convention that should be used for the user's NHIN Direct address?
    • Addressed in revised certification document, stating as a negative: the name should not say or imply membership in NHIN.
    • Did not use a positive, but have tended to use, etc.
      • Is there a need or a value in that?
    • David Tao suggested reviewing Policy Questions for Implementations and adding or amending that, but it is not issuing recommendations, just consolidating all questions.
  • Question 6: Questions related to HISPs from Paul Tuten
    • Questions about security, audit, log, transparency practice policies.
  • Question 8: Question from Paul Tuten about organization versus individual NHIN Direct addressing conventions/usage.
    • Can mark as transferred and addressed.
  • Question 9: Related to provider directories, from Paul Tuten.
    • Arien Malec prefers to stay out of this until the HIT Policy Committee addresses.
  • Question 10: Question regarding XDR vs. XDD & timeline implications, from Parag More.
    • This will be answered through the XDR Spec.
  • Question 11: Questions about legal participation agreement for NHIN Direct users, from Will Ross.
  • Question 12: Questions related to message content from Mark Stine.
  • Question 13: What information can/should be stored on the HISP for logging or auditing purposes? (from RIQI)
  • In sum, the questions on the Open Questions Tracker fall into four main areas:
    • Attachment types, storage, and virus scans
    • Formatting of domain names and e-mail addresses
    • Certification of HISPs
    • Standardization of legal agreements

Round the Room on Next Priorities for the Best Practices WG
Rich Elmore
  • Ensuring HISPs are in place and at the right level of practice will be important to establishing stakeholder confidence.
  • Would be good to get some legal guidance on basic legal requirements.
  • Other priorities include working out policy around directed exchange with patients.

Susan Torzewski
  • Thinks that minimum standards for HISPs need to be worked out.

Michael Firriolo
  • Virus scanning is especially important for smaller providers.
  • Do not want HISPs to become a routing mechanism for viruses.

Dragon Bashyam
  • HISPs.

Mark Stine
  • Same, HISPs.

Greg Chittim
  • Fundamental design decisions around HISPs, what dated can be stored and for how long?

Arien Malec
  • Concluded from round that the highest priority is best practices around HISPs for security, audit, logging, and transparency.
  • Will convene a special task force to draft up document very quickly, the same way Sean Nolan and David McCallie did for certificate management best practices.