Notes from Best Practices WG
Date: October 21, 2010
Time: 1:00 – 2:00pm EST
Attendees: Greg Chittim, Gary Christensen, Richard Elmore, John Feikema, Michael Firriolo, Don Jorgenson, David Kibbe, Patrick Pyette, Mark Stine, Laurie Tull, John Williams, Karen Witting, Arien Malec, Uvinie Hettiaratchy, Caitlin Ryan

Actions


Actions
Actions for This Week
#
Date
Action
Status
Owner
Due Date
18
10/21/10
Make changes according to comments offered
Open
Arien Malec,
Rich Elmore, ??
11/4/10
19
10/21/10
Reach out to organizations for additional reviewing resources
Open
Don Jorgenson, David Kibbe
11/4/10
20
10/21/10
Draft content about HISP breaches
Open
Arien Malec, Gerg Chittim
11/4/10
21
10/21/10
Vote on Best Practices for HISPs Call for Consensus
Opens 10/21/10
Best Practices WG members
11/4/10

Actions from Last Week

#
Date
Action
Status
Owner
Due Date
15
10/14/10
Send Certificate Pilot Recommendations Consensus link to Implementation Geographies WG
Closed
Uvinie Hettiaratchy, Caitlin Ryan
10/15/10
16
10/14/10
Make edits to Best Practices for HISPs document:
· Clarify that an organization only needs to sign a BAA with one external HISP, with a chain of connected HISPs allowing for network wide exchange
· Add language specifying that this document applies to the HISP as an organizational model, not a function that is internal to a covered entity
· Explain that discussion about the individual was left out intentionally because the individual and traffic to/from the individual is well recognized within HIPAA
Then send around fro Call for Consensus
Closed
Arien Malec
10/18/10
17
10/14/10
Set up Call for Consensus page for Best Practices for HISPs
Closed
Caitlin Ryan
10/15/10

Agenda

Notes
Rich Elmore
  • Thinks it is a good document, it has come a long way
  • His first concern is about best practices for the Stage One MU individual use cases
  • Need to make individual case is covered in terms of HISP responsibility
  • During an earlier phase of the Direct Project, they were going to prioritize Stage One, provider to individual, but were not going to prioritize the individual back to the provider
  • Feels the individual to the provider use case has implications from a best practices perspective that the Best Practices WG should provide guidance for HISPs about

Arien Malec
  • Are the confining issues the issues of legal agreements, security, privacy, transparency?
  • There seem to be other ID assurance, workflow issues involved
  • Are there any particular edits you’d like to make to makes sure the current Best Practices for HISPS document covers individuals more?
  • Trying not to address ID issues in this document
  • This is about protecting privacy, security, transparency as a HISP

Rich Elmore
  • Hasn’t spent the time necessary to develop recommendations, but he believes there would be some that would apply in those categories

Arien Malec
  • So far this document is not talking about individuals
  • HIPAA may not even talk about business associates of individuals
  • Gets complicated easily, he isn’t sure the law is clear

Rich Elmore
  • Agrees with the summary
  • His other concern is that when a provider sends info to an individual, what is our best practice position in terms of disabling or enabling a reply that was not Stage One for this project?

Arien Malec
  • Suggests it is a different topic about ID assurance and workflow for individuals and not about privacy, security, transport

Rich Elmore
  • If a HISP gets a response back from individual, will it pass through?

Arien Malec
  • If operating in agent mode, will apply consistent models to accept or reject transaction
  • Any particular workflow needs to be done at the provider level
  • Definition of a business association: provides functions or activities on behalf of the covered entity
  • Which makes dealing with the individual in really confusing in this document

David Kibbe
  • Asked if all WG members understand the amended HIPAA business association definitions?
  • He doesn’t have them in front of him, but the idea of a business association and their responsibilities, obligations has significantly increased as a result of the NPRM
  • Wants to make sure people were not criticizing circa HIPAA 2009

Arien Malec
  • Right but now the NPRM has no enabling mechanism
  • When we get to a final rule, will need to revisit this document

Rich Elmore
  • His second comment was about making sure healthcare stakeholders have a real easy way to be able to sign up for the Direct Project, and to connect to others without a lot of bureaucracy
  • In an ideal situation, a provider would sign up once with a HISP and that HISP is in turn responsible for having the right kinds of agreements with other HISPs
  • It would be a single act of signing up with a single HISP
  • If we do that we have a shot at rapid and wide adoption
  • Or else providers are almost forced into doing agreements party by party

Arien Malec
  • Goal of the document was to get away from that
  • Acknowledges that is the world we are trying to get to
  • HIPAA provides responsibly and strong protection to individuals for the privacy and security of their health information through covered entities
  • HIPAA then extends those provisions to make this simpler, to business associations
  • Complication: really strong protection for covered entities, strong for business associates, but if you have a transaction for a third party between business associates, gets murky
  • As David Kibbe notes, recent NPRM changes may make it less murky
  • Definitionally, the HISPs for state immunization aren’t a business assoc, which is why he added language about “equivalent contractually binding legal agreements”
  • Reason to limit in this way is to get away from the need for reciprocal arrangements
  • If you go beyond the boundaries of HIPAA, you run into more murky nuance
  • Very complicated, but those complicated situations happen often

Rich Elmore
  • Shouldn’t be ambiguous
  • Should go back to ONC

Arien Malec
  • Which is great, ONC can give governance guidance and regulatory guidance, but the process for doing both of those is long-term, not short-term, not likely to help with Direct Project pilots

Don Jorgenson
  • In a HISP to HISP situation, would it make sense to provide guidance for what provisions between them would allow for reduction in number of documents?

Arien Malec
  • Ideally these transactions don’t require reciprocal legal agreements in order to function, because that model is unscalable
  • If we want an open dynamic market for information exchange and high levels of trust, transparency, and security, it would be great to not have reciprocal agreements

Don Jorgenson
  • If there is guidance on that, and the HISP agrees to provisions and to defining important criteria, then they have a pivot point to move toward from each one

Arien Malec
  • The sender alone is responsible, which helps us a lot in policy
  • Next steps: Needs to do a second take, all seem to agree on overall principles, but don’t see a need for lots of reciprocal agreements

Round the Room: Rich Elmore’s Comments on Best Practices for HISPs

Laurie Tull
  • No comment


  • Doesn’t want this to be “big H big I big E,” should be simpler
  • If I’m a user and I have a relationship with a HISP, that should be enough, so that I can communicate with another provider
John Williams

  • HISP breach and breach reporting is also important
Michael Firriolo

  • No comment

Karen Witting


  • Read that the certificates would be used as the basis of trust, so that the sender and receiver have an anchor that is the basis for trust, and that anchor determines which policies both sides agreed to
  • Someone has to resolve that I’m sending/receiving to endpoints, the senders have to have a level of trust that is compatible
Arien Malec
  • With regard to certificates, the main trust issue is
  • a) Are you the you I think I’m sending to?
  • b) Am I the me you think you are receiving from?
  • c) Do I have confidence my mail isn’t being opened and nothing else unknown is happening in flight?
Karen Witting
  • What about other policies?
  • Is that where the murkiness is?
Arien Malec
  • Policies define essentially what the ground should be for the pilots
  • HIPAA provides at least reasonably strong protections for individuals, but doesn’t apply to everybody
  • A lot of what we are discussing, HIPAA should be able to apply to all parties and transactions
*
Don Jorgenson

  • No comment
Patrick Pyette

  • No comment
Mark Stine

  • No comment
Gary Christensen

  • Requirement: should be scalable
  • Second, not so clear if we end up needing to have HISP to HISP agreement, not as much of a non-starter
Arien Malec
  • Neither of those two principles are set out in the preamble, he will add
Greg Chittim

  • No comment
John Feikema

  • Gary’s comments are aligned with mine in terms of what the larger issue is
  • HISP to HISP agreements might be problematic, not a problem if they can sign a common agreement, much like the DURSA


Pat Pyette
  • First, HIPAA is very focused on PHI; does this document intend to do the same?
  • We have to make sure that PHI is either called out very specifically, or broaden the definition to include all kinds of personal info

Arien Malec
  • Interesting, because the protected data has a definitive definition under HIPAA< but there may be a broader spectrum of data that needs to the same protections as in HIPAA

Pat Pyette
  • HIT Policy Committee Is coming out with recommendations and will continue to come out with recommendations
  • Direct Project documents should say “recommendations as they currently are currently stated”

Arien Malec
  • Great point
  • The pass between HIT Policy Committee recommendations becoming regulations is going to be a long time
  • Recommendations as they currently exist should be the aim, even if they may end up being best practices with no enforcement mechanism in some cases, but regardless, the Direct Project organizations will abide by them

Pat Pyette
  • You can only agree with what is in front of you today, not what may come tomorrow
  • Next, a comment on Recommendation #6: We really want to be in concert with principle of minimum collection
  • However, a HISP doing just HISP work will not survive long in the marketplace, so the recommendation could identify other value added services
  • Language edit “service obligations of the HISP” rather than “function of exchange required”
  • May offer other value-added services, just needs to be disclosed

David Kibbe
  • Seems likely that once there are 35 or 112 HISPs, there will be some kind of association representing those organizations, and that they will all in effect represent an industry group that has a strong mutual interest in conducting business in a standardized manner within the framework we are discussing now
  • They may find a way to create a convention with respect to BA agreement to add additional
  • For now this is just a theoretical comment
  • We can’t over-determine how these organizations choose to behave in the future, but we can hope they will behave in line with ideals we set out

Arien Malec
  • 1) Setting best practices for pilots so that at least with respect to the pilots we have some level of voluntary commitment to maintain public trust
  • 2) Setting out rules that organizations have voluntarily adhered to, foster innovation, protect privacy and security, all of which could be an input to the governance process for the Nationwide Health Information Network, which could include rules for effective messaging
  • Distinction between regulation and voluntary associations --- Direct is voluntary
  • Other comments on Best Practices for HISPS document:
  • Will Ross makes the point that only a BA is inadequate for best practices
  • I think that’s what the best practices were acknowledging—BA is necessary but not efficient
  • Asked for volunteers for mini-review of Best Practices for HISPs document
  • Suggested a Round on if we address these topics, if we are ready to move forward

Round the Room: Will the Best Practices for HISPs document be ready if revisions discussed above are made? Are there volunteers to help review?
Laurie Tull

  • Will all of the best practices documents be rolled up into one big one, or will they be chapters?
Arien Malec
  • Great suggestion, would be a really nice thing to do
  • Thinks it is hard enough already to get the documents through consensus individually, so might make sense to send them through as chapters
  • Trying to take off logical chunks
Laurie Tull
  • Realizes it will be a work in progress
  • Right now they are trying to get best practices for the pilot programs, and not look further down the road
Rich Elmore

  • Happy to assist in follow up work
  • Can think through the implications of the document and help in that perspective, but would be good to have an expert on rules and proposed rules
  • Thinks the document will be complete after next round of review
Arien Malec
  • He does internal reviews with ONC, but they cannot actually make recommendations
  • Direct is all voluntary
  • Would be useful for someone in Direct to be involved in that level of review
John Williams
  • No comment
Michael Firriolo
  • No comment
Karen Witting
  • No comment
Gary Christensen

  • Is there anything we want to be talking about in terms of the “don’t look at the message” idea, as a best practice?
Arien Malec
  • The Policy Committee was looking into that
Don Jorgenson

  • Has a resource to offer for reviewing

Mark Stine
  • No comment
John Feikema

  • Is comfortable with review plan
David Kibbe

  • Has another CGC, lawyer he will ask to assist with reviewing
  • She is strong with regulatory law
  • Also willing to participate

Gary Christensen
  • Doesn’t want to lose track of the breach issue

Arien Malec
  • Also thinks breach issue is important to look at
  • It is the sender’s responsibility

Greg Chittim
  • Thought WG was tabling the discussion on this, but if moving forward will serve on review team

Arien Malec
  • They will propose something on HISP breaches, will get back to the WG
  • There are at least two other potential best practice areas to explore
  • Expectations on e-mail infrastructure: attachment links, virus scanning
  • Set of issues Rich Elmore raised relating to the individual
  • The Tiger Team hasn’t looked at individuals at all yet, so this would be unchartered territory
  • Any interest in doing these, writing up draft?

Round the Room: Seeking volunteers to draft content for next best practices focus
Rich Elmore
  • No
Laurie Tull

  • No
John Williams
  • No
Michael Firriolo
  • No
Karen Witting
  • Overwhelmed with things to read
Arien Malec
  • Open questions tracker for pilots
Don Jorgenson

  • Can assist
John Feikema

  • No
David Kibbe

  • Important that the individual be considered
  • Informs other use cases
Greg Christensen

  • Biggest issue is who is the type of person who has the right background
  • Who can address e-mail issues?
Greg Chittim
  • Is addressing HISP issues, for now

Arien Malec
  • Will make revisions
  • Will allow an additional week after the face to face meeting to make revisions, new Call for Consensus due 11/4/10