Best Practices Workgroup Notes
January 13, 2011

  • Status of current best practice areas:
    • Two documents up for full Implementation Group consensus:
      • Certification Pilots Recommendations Discussion: Arien working with "no" votes to address issues and achieve consensus.
      • Best Practices for HISPs: up for consensus on 1/25. Members are encouraged to review and provide feedback.
    • Certification Authority Policy Recommendations Subgroup - Arien completing updates to proposed document (guidance to HISPs, States, other orgs w/ responsibility for vetting CAs for inclusion in trust anchors). Subgroup review occurring this week. Up for subgroup consensus this week. Up for consensus by this workgroup likely next week.
  • Other potential areas of focus for best practices:
    • Handling of identity assurance for individuals;
    • Email attachment handling, virus scanning, etc.;
    • Conformance Document: "what does it mean to be Direct?"
      • Specification makes clear that individual receiver may have explicit requirements or configurations at an address level for what type of content may be accepted by that address. (e.g., an address may be configured to only receive HL7 lab message data, etc)
      • HITSC in review of Direct had concerns with this language, that it was making a policy decision in guise of a technology implementation. Specifically, a policy preference that a receiving health system in order to claim Direct compliance, they must be able to interoperate with a broad degree of senders. A receiver that only wants heavily structured data may be impeding the flow of information and achievement of transitions of care compliant with meaningful use. This is clearly a policy issue more than a technology or standards issue.
        • Struggling with how to express policy preference in a way that doesn't impact technology. May return to Best Practices WG to explore those areas.
        • Pat Pyette: recommend not tackling this item - this is a local policy decision on the receiver end and should not be part of Direct discussions.
        • Arien: A HITSC member raised a concern that if there were a defacto agreement amongst a group not to accept anything except complexly structured documents, it would kill the goal of simple message delivery and interoperability.
        • Arien: in conversations with Dixie and John, reached agreement that specification is fine as is, but need to express this policy consideration in something like "What does it mean to be Direct?" document - currently being drafted by Documentation and Tested WG. Will head to this WG as a Best Practice after completion.
    • No interest expressed by WG members in taking on additional work in the area of best practices at this time
  • Other Issues:
    • David: Are we defining (in definition of Direct) how security is mandated? Could leave optionality on certificate management that effectively broke goal of universal addressability or conversely nail down so tightly with specific certificate distribution model that people refuse to cooperate.
      • Arien: We're coming toward a good CA policy statement that should mitigate concerns about overly prescriptive in ways that would limit interoperability while still ensuring a good floor for trust. DNS is still there as an option for certificate discovery. All reference implementation support DNS. We're in a de facto state with good enough discovery mechanism without inappropriately locking it down.
    • David: In yesterday's HITSC meeting, Walter Suarez gave an update on technical specifications for directory services, starting with "entity directory services", and eventually moving toward "individual directory services". Likely work will come to privacy/security workgroup. Key issue will be certificate discovery - most people know who they communicate with. It's not about finding out what someone's address is, but getting a hold of their digital certificate so you can interact with that. Multi-year long-range solution, but still need something in the interim.
    • Rich: An additional suggestion for best practice area - Direct Project Compliance once it comes out of documentation and testing.