Notes from Best Practices WG
Date: November 4, 2010
Time: 1:00 – 1:50pm EST
Attendees: Gary Christensen, Don Jorgenson, David McCallie, Mark Stine, John Williams, Karen Witting, Arien Malec, Uvinie Hettiaratchy, Caitlin Ryan

Actions




Actions for This Week



#
Date
Action
Status
Owner
Due Date
22
11/4/10
Create visual that shows the data flows (see notes below)
Open
Communications WG
11/3010
23
11/4/10
Ask Rich Elmore, Janet Campbell, Sean Nolan and possibly someone from Google if they want to draft up best practices for individuals
Open
Arien Malec
11/8/10






Actions from Two Weeks Ago
#
Date
Action
Status
Owner
Due Date
18
10/21/10
Make changes according to comments offered
Open
Arien Malec,
Rich Elmore, ??
11/4/10
19
10/21/10
Reach out to organizations for additional reviewing resources
Open
Don Jorgenson, David Kibbe
11/4/10
20
10/21/10
Draft content about HISP breaches
Open
Arien Malec, Gerg Chittim
11/4/10
21
10/21/10
Vote on Best Practices for HISPs Call for Consensus
Opens 10/21/10
Best Practices WG members
11/4/10


Notes
Arien Malec
  • The face to face meeting really didn’t focus on policy or best practices matters
  • Might want to add in some technical best practices for the work that is being done
  • Certificate Recommendations
  • Passed consensus, ready for IG consensus
  • Certificate and identity
  • Is wondering if it would be better to hold until the Privacy and Security Tiger Team finishes its work on this issue

  • Second piece in flight is Best Practices for HISPs
  • Got a fair amount of feedback, both through internal reviews and through this group
  • He did a pass at editing to address the common concerns
  • There are a number of organizations that wanted to get their legal teams involved
  • We’ve had a little bit of legal review so far
  • Might be worthwhile for him to re-review, go over edits

  • Third and fourth topics that have been the subject of active discussion
  • 1) Best practices related to individuals, identity assurance as well as continuation of discussion from early in the project about use cases, provider to patient
  • 2) Best practices relating to attachment sizes and virus scanning and the things that become part of normal e-mail processing requirements
  • Sentiment so far has been that it’s better to complete the two things in flight rather than take on new business

David McCallie
  • Do changes to the documents reflect some of the comments from the Standards Committee meeting?

Arien Malec
  • Did a review with Dixie on the privacy and security aspects of the two current specs, she will have the Privacy and Security WG of the Standards Committee review
  • Should probably wait until they conclude their review to make changes

David McCallie
  • Dixie has not formally asked the committee to review yet
  • Some of their questions do relate to best practice issues, and other questions just show that they still don’t quite understand what we are doing, which means we need stronger messaging

Arien
Have 4 topics of discussion for this meeting
  • 1) Certificate best practices
  • 2) Where we are with the best practices for HISPs document
  • 3) Feedback from the HIT Standards Committee in terms of addressing
  • 4) Whether we want to take on additional best practices

Topic 1: Certificates best practices
  • We have the certificate handling best practices document, pretty well done
  • Has been reviewed a number of times, has gone through a couple sets of review, both with this group and through the Security and Trust WG
  • Next step would be for it to go to IG Consensus
  • Noted that the Security and Trust WG had two organizations that went on to do a separate review, so the document is not complete through the Security and Trust WG
  • Should complete as of today’s meeting (11/4)
  • Assuming the document passes through the Security and Trust WG, we could take two approaches
  • 1) Keep essentially as a sub-IG consensus approved deliverable until Tiger Team has finished its conversation
  • 2) Go ahead and get approved at IG level, understanding we may need to revise
  • Asked for any strong opinions

David McCallie
  • The fewer times we have to change things, the better
  • Would prefer waiting if changes are likely
  • It is such a complicated topic, seems like something will come up in review

Gary Christensen
  • Doesn’t have a strong opinion, but thinks decisions should be based on what the utility of the document is with respect to the other ongoing activities
  • If we think it is generally useful and generally right, we should make it available for folks to use
  • If we think it isn’t relevant to the ongoing activities, we can hold it for now

Don Jorgenson
  • Useful feedback, as a guide

Arien Malec
  • Can pass for now, and assuming it gets through the Security & Trust WG, can submit to full IG
  • They had put in a reference to NIST Level 2, and later felt it didn’t make sense
  • Would be better to say “equivalent to” rather than saying “NIST Level 2”

David McCallie
  • Thinks that is in the spirit of how NIST approaches things, not to be proscriptive, but provides examples
  • Has no trouble with
  • Has question about whether or not we should specify a NIST level at all, can come back to that question

<No other WG member had an issue with using “equivalent”>

David McCallie
  • Question about using NIST at all
  • Standards for users connecting to an HIE
  • Should ONC require very specific credentialing to connect to an HIE?
  • In providers’ workflow, EMR, already on the hook to ensure that only the proper users have access to the EMR in the first place and that securities are in place so functions available to a provider match their role
  • Do we want to have an additional authentication step?
  • Or “if you are a provider authorized to use your system, you can use Direct?”

Arien Malec
  • We have language about that in the document already

David McCallie
  • That’s the spirit exactly—if you’ve already crossed that hurdle, you don’t have to go through additional steps
  • If coming into an isolated portal, it’s a different story

Arien Malec
  • Remembers Farzad Mostashari making the point that if I can change things but not send a message electronically, that seems silly

Don Jorgenson
  • Ultimately it is the issue Arien raised – we need to have vocabulary, terminology appropriate to describe what the levels of proofing and assurance are that can be applied to making the decision whether trust is appropriate, using NIST language or not

Arien Malec
  • That was the direction he was going in by using “equivalent with” or “consistent with”

Don Jorgenson
  • Thinks that’s fine for now,

Arien Malec
  • Thinks the Tiger Team will come out with recommendations that will go through the Policy Committee and be part of a governance process

David McCallie
  • Initial focus is on entities authentication rather than individual, but the Tiger Team discussion will likely move to individual level

Arien Malec
  • Current recommendations talk about organizations

Second topic: Best Practices for HISPs
  • Current status is there are a number of organizations that requested an extension of the review to get legally reviewed
  • Couple instances where additional legal review is needed
  • Kryptiq, Surescripts, requested additional legal review
  • Did one pass with MedPlus/Quest Diagnostics
  • He will reach out to Surescripts and Kryptiq
  • He made changes
  • He took out language about it not covering individuals, wasn’t necessary
  • Examples of why BAAs might not be explicitly required, if contractee is not a covered entity
  • Changed “PHI” to “PII”
  • Noted that when he mentioned “equivalent protection” in cases where the organization is not a covered entity, then organizations that are HISPs to that organization will not be BAs under the terms of HIPAA
  • Noted in the recommendations that either you need to be an individual covered entity and therefore a BA as covered by HIPAA or else have a equivalent and contractual agreement
  • Deven pointed out you can’t ever be equivalent b/c don’t have enforcement powers
  • Added “collection” to list of duties performed by HISP
  • Note from Inpriva, “minimal use” rather than function of exchange
  • Transformation services, more than is minimally required
  • Can see change log if you click on history/changes

David McCallie
  • Question, someone asked if we had discussed or been approached about Homeland Security Patriot Act-like implications of the way we are doing encryption

Arien Malec
  • We will know we are successful when we get questions like that

David McCallie
  • Would prefer not to worry about this issue, but do we have to? Richard Marks, HIPAA lawyer asked, used to work for the NSA

Arien Malec
  • Third Topic: Discuss feedback from HIT Standards Committee
  • Most of the feedback was not relevant, was an odd meeting
  • “Why did you choose REST?”
  • “Is this simple enough?”
  • “Why do you keep mentioning XDR?”
  • Asked David to help summarize

David McCallie
  • Covered one class of questions that came up, “it’s too complicated” on the one hand, and on the other,” it is too complicated, why do you keep using XDR, XDM?”
  • Did a good job of addressing questions, people weren’t really asking as much as making a point
  • No critical issues other than our continued need to communicate exactly what we are doing
  • Second set of issues from Dixie Baker, misunderstanding how our security model works
  • Potential for inadvertent exposure of patient data at HISP that we haven’t accounted for
  • She is failing to recognize that we are treating the HISP as a BA, and expect the same best practices around PII that we would if they were hold an EHR
  • Can encrypt the desktop, if they choose to do so

Arien Malec
  • In private discussion she also raised whether the specs themselves cover audit or the requirement to audit
  • That may come up during the workgroup review
  • Thinks the next step is for Dixie to request a workgroup review

David McCallie
  • There is still a lack of understand what we are doing
  • He used the current slide set about two weeks ago
  • We are missing a knock-out visual that shows the data flows; we have all the right words, but you can’t point and show where the doctor sits, where the HISP sits, here is where it gets encrypted, here is where it gets decrypted

Arien Malec
  • Thinks the visual should cover HISP agent model as well as the pure routing model

David McCallie
  • Right, so two pictures, Option One and Option Two
  • There is a gap in understanding, not a gap in design

Arien Malec
  • Asked for comments on Standards Committee review if anyone heard

David McCallie
  • Dixie made the assertion that the Standards Committee made recommendations and Direct ignored them all, but Arien addressed those concerns well

Arien Malec
Fourth topic—New areas of focus
  • Asked whether there is any energy to take on best practices related to two other wants and needs from the implementation geographies
  • 1) Identity assurance for patients, bilaterally
  • 2) Bp related to attachment handling
  • He’s unable to work on himself

David McCallie
  • Asked if a PHR is participating in a pilot

Arien Malec
  • Yes

David McCallie
  • Would they have an approach to handle consumers that might be participating?
  • Individuals using the system who aren’t providers
  • Would Microsoft or anyone else by facing this issue?

Arien Malec
  • This topic has also been a lot of interest to Rich Elmore
  • Asked Gary if he feels he has appropriate best practices for this issue
  • Are they involving individuals in their pilot?

Gary Christensen
  • Was just about to say that he would put the consumer/individual issue below the attachments issue
  • Because initial user groups will likely be doctors, not individuals
  • We’re not focused on that yet

David McCallie
  • Just doesn’t want to ignore the individuals issue, so folks with a vested interest in approaching consumers should drive this conversation
  • Arien when advice on individuals would be needed

Don Jorgenson
  • Sometime, but there is no sense of urgency yet
  • Have ability to send any kind of messaging
  • Not an issue in the pilot early on, he’s fine with deferring for a little while
  • Microsoft, PHR vendors

David McCallie
  • Discussion on size of message, back when initially debating
  • essentially not allowed through public SMTP channels
  • Debated notion that they could pick arbitrarily large message size and set as practice
  • Now perfectly feasible that S/MIME could go over standard mail channels
  • We cannot guarantee the size

Arien Malec
  • Have people who want to use same transactions for claims attachments
  • CMS is planning on massive file sizes

Gary Christensen
  • Asked Don if questions came up in the working group

Don Jorgenson
  • Thinks it’s an implementation and capability issue for service provider rather than a best practices issue
  • Probably should steer clear of at this level

Gary Christensen
  • Are there any things that say that’s a good question, we should get consensus on it?
  • Or else if we aren’t hitting up against it in our pilot, we don’t need best practice guidance yet

Don Jorgenson
  • Might double check with Pat Pyette

David McCallie
  • Can’t guarantee every gateway will handle an arbitrarily large file

Don Jorgenson
  • Depends on the implementers, if we get into how to resolve, how do we discover, that’s a different issue

David McCallie
  • Not sure it is technically possible to guarantee an arbitrarily large size
  • Would be an implementation’s decision
  • Would fit in a best practices document, could set limit
  • Would want to talk to more of an SMTP expert

Gary Christensen
  • Besides size, are there any other issues?

Arien
  • Requirements about whether every HISP must provide virus screening services, for example
  • Hearing lots of good discussion, but no one signing up to write first draft

John Williams
  • What about addressing other security considerations?

Arien Malec
We do require compliance with HIPAA security rules

John Williams
  • Would like to see expansion on that
  • Seems like a starting point

Arien Malec
  • Ends up being much more detailed
  • At a high level right now for best practice perspective, at the next level down we would need security officers involved to look at scanning, protection, policies for open ports, etc.
  • Will ask Rich Elmore, Janet Campbell, Sean Nolan and possibly someone from Google if they want to work on individuals
  • Thinks there is a set of known patterns on how to do this, thinks someone could write the first draft quickly